Incorrect cve fixed-in version coming in grype output

nehas4 commented 3 days ago

What happened: After scanning one image with nodejs component (of 18 series) with version: 1:18.20.4-1.module+el9.4.0+22195+c221878e, reporting CVE-2024-27983 with fixed in version (of 20 series): 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 as shown below:

What you expected to happen: As per documentation (https://access.redhat.com/security/cve/CVE-2024-27983) this CVE: CVE-2024-27983, is present in nodejs 18 series and fixed in 18.20.2 version itself. In grype DB we can see that below details for this CVE and we are suspecting that the above output is coming because of version constraint column data in DB.

ID | PACKAGE_NAME | NAMESPACE | PACKAGE_QUALIFIERS | VERSION_CONSTRAINT | CPES | RELATED_VULNERABILITIES | FIXED_IN_VERSIONS | FIX_STATE | ADVISORIES 871808 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el8.9.0+21743+0b3f1be2 | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el8.9.0+21743+0b3f1be2"] | fixed | [{"id":"RHSA-2024:2778","link":"https://access.redhat.com/errata/RHSA-2024:2778"}] 871809 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-1.module+el8.9.0+21767+537f34ee | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-1.module+el8.9.0+21767+537f34ee"] | fixed | [{"id":"RHSA-2024:2780","link":"https://access.redhat.com/errata/RHSA-2024:2780"}] 879028 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-2.module+el9.4.0+21742+692df1ea | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-2.module+el9.4.0+21742+692df1ea"] | fixed | [{"id":"RHSA-2024:2779","link":"https://access.redhat.com/errata/RHSA-2024:2779"}] 879029 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el9.4.0+21731+46b5b8a7"] | fixed | [{"id":"RHSA-2024:2853","link":"https://access.redhat.com/errata/RHSA-2024:2853"}] 879030 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity"}] | < 1:16.20.2-8.el9_4 | rpm | | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:16.20.2-8.el9_4"] | fixed | [{"id":"RHSA-2024:2910","link":"https://access.redhat.com/errata/RHSA-2024:2910"}]

We want to know if this grype output coming is correct with fixed-in version? And whether its coming because of the feed data into grype DB from redhat?

How to reproduce it (as minimally and precisely as possible): scan cyclonedx syft sbom of below nodejs image with nodejs component of 18.20.4 version with grype:

Issue coming for this image: syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-129.1726695172 -o cyclonedx-json=syft_cyclonedx.json grype sbom:syft_cyclonedx.json -o table=grype_output.txt

Correct data coming for below image: syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-113.1714664725 -o cyclonedx-json=syft_cyclonedx.json grype sbom:syft_cyclonedx.json -o table=grype_output.txt

Environment:

Grype version: grype 0.84.0
OS: NAME="Red Hat Enterprise Linux" VERSION="8.10 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.10" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8" BUG_REPORT_URL="https://issues.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.10 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.10"

westonsteimel commented 3 days ago

For anyone looking further at this, my guess is that the package modularity is not handled by syft with cyclonedx format and therefore grype can't choose the correct constraint based on package modularity so has to choose the highest version constraint.

nehas4 commented 2 days ago

We have observed that we are getting different grype scan output when done with syft cyclonedx-json sbom and syft-json sbom. Below is one example:

grype scan output with cyclonedx-json sbom:

NAME INSTALLED nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 nodejs-nodemon 3.0.1-1.module+el9.3.0.z+20478+84a9f781 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 FIXED-IN TYPE VULNERABILITY SEVERITY (won't fix) rpm CVE-2024-24806 Medium
(won't fix) rpm CVE-2023-46809 Medium
(won't fix) rpm CVE-2023-38552 Medium
(won't fix) rpm CVE-2022-25883 Medium
rpm CVE-2021-3807 Medium
rpm CVE-2021-27290 Medium
(won't fix) rpm CVE-2023-45143 Low
(won't fix) rpm CVE-2023-39333 Low
(won't fix) rpm CVE-2024-24806 Medium
(won't fix) rpm CVE-2023-46809 Medium
(won't fix) rpm CVE-2023-38552 Medium
(won't fix) rpm CVE-2022-25883 Medium
rpm CVE-2021-3807 Medium
rpm CVE-2021-27290 Medium
(won't fix) rpm CVE-2023-45143 Low
(won't fix) rpm CVE-2023-39333 Low
(won't fix) rpm CVE-2022-25883 Medium
(won't fix) rpm CVE-2024-24806 Medium
(won't fix) rpm CVE-2023-46809 Medium
(won't fix) rpm CVE-2023-38552 Medium
(won't fix) rpm CVE-2022-25883 Medium
rpm CVE-2021-3807 Medium
rpm CVE-2021-27290 Medium
(won't fix) rpm CVE-2023-45143 Low
(won't fix) rpm CVE-2023-39333 Low

grype scan output with syft-json sbom:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low

With syft-json sbom as input, grype giving less listing as shown above. Is it because of more detailed breakdowns coming in syft-json?

cyclonedx cpes: "cpe": "cpe:2.3:a:nodejs:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::*",

syft-json cpes: "cpes": [ { "cpe": "cpe:2.3:a:nodejs:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::", "source": "syft-generated" }, { "cpe": "cpe:2.3:a:redhat:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::", "source": "syft-generated" } ],

anchore / grype

Incorrect cve fixed-in version coming in grype output #2253