search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.84k stars 574 forks source link

False positive: redis vuln associated to somewhat unrelated python dependency #491

Closed Karreg closed 1 year ago

Karreg commented 3 years ago

Hello,

I have found this vulnerability in my python dependencies with a fs scan (see below issue description).

The found issue is for the redis package, but the scanned artifact is the redis python dependency, that is not redis itself, but the python library used to communicate with redis.

Vulnerability report:

{
  "matches": [
    {
      "vulnerability": {
        "id": "CVE-2021-32626",
        "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-32626",
        "namespace": "nvd",
        "severity": "High",
        "urls": [
          "https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591",
          "https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c",
          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/",
          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/",
          "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E",
          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/"
        ],
        "description": "Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.",
        "cvss": [
          {
            "version": "2.0",
            "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "metrics": {
              "baseScore": 6.5,
              "exploitabilityScore": 8,
              "impactScore": 6.4
            },
            "vendorMetadata": {}
          },
          {
            "version": "3.1",
            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "metrics": {
              "baseScore": 8.8,
              "exploitabilityScore": 2.8,
              "impactScore": 5.9
            },
            "vendorMetadata": {}
          }
        ],
        "fix": {
          "versions": [],
          "state": "unknown"
        },
        "advisories": []
      },
      "relatedVulnerabilities": [],
      "matchDetails": [
        {
          "matcher": "python-matcher",
          "searchedBy": {
            "namespace": "nvd",
            "cpes": ["cpe:2.3:a:redis:redis:3.5.3:*:*:*:*:*:*:*"]
          },
          "found": {
            "versionConstraint": ">= 2.6, < 5.0.14 || >= 6.0.0, < 6.0.16 || >= 6.2.0, < 6.2.6 (unknown)",
            "cpes": ["cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*"]
          }
        }
      ],
      "artifact": {
        "name": "redis",
        "version": "3.5.3",
        "type": "python",
        "locations": [
          {
            "path": "requirements.txt"
          }
        ],
        "language": "python",
        "licenses": [],
        "cpes": [
          "cpe:2.3:a:python-redis:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python-redis:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python_redis:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python_redis:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python-redis:redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python_redis:redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:redis:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:redis:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python:redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:redis:redis:3.5.3:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:pypi/redis@3.5.3",
        "metadata": null
      }
    }
  ],
  "source": {
    "type": "directory",
    "target": "./"
  },
  "distro": {
    "name": "",
    "version": "",
    "idLike": ""
  },
  "descriptor": {
    "name": "grype",
    "version": "0.24.0",
    "configuration": {
      "configPath": "",
      "output": "json",
      "file": "",
      "output-template-file": "",
      "quiet": false,
      "check-for-app-update": true,
      "only-fixed": false,
      "scope": "Squashed",
      "log": {
        "structured": false,
        "level": "",
        "file": ""
      },
      "db": {
        "cache-dir": "/root/.cache/grype/db",
        "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json",
        "auto-update": true,
        "validate-by-hash-on-start": false
      },
      "dev": {
        "profile-cpu": false,
        "profile-mem": false
      },
      "fail-on-severity": "high",
      "registry": {
        "insecure-skip-tls-verify": false,
        "insecure-use-http": false,
        "auth": []
      },
      "ignore": null
    },
    "db": {
      "built": "2021-11-04T08:13:46Z",
      "schemaVersion": 3,
      "location": "/root/.cache/grype/db/3",
      "checksum": "sha256:c95cbce1b6ddbc7ae12da8dbb1437dd28e1fa0ab6ba0ff3875701afb9d1706f3",
      "error": null
    }
  }
}

By the way, grype is quickly becoming better, good job :)

luhring commented 3 years ago

By the way, grype is quickly becoming better, good job :)

Thanks @Karreg! 😍

I think this is another case of how we generate CPEs with subselections of words in a name, where important context is accidently truncated off.

This is an excerpt of the JSON you pasted above:

"cpes": [
  "cpe:2.3:a:python-redis:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python-redis:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python_redis:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python_redis:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python-redis:redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python_redis:redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:redis:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:redis:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python:redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:redis:redis:3.5.3:*:*:*:*:*:*:*"
],

So sometimes we include the full "python redis", but in other cases, we've shortened the values to just "redis". I believe this is similar in cause to https://github.com/anchore/grype/issues/450.

Karreg commented 2 years ago

Hello there,

Is there any update on this issue? I'm still having these false positives, still for the redis python library:

NAME   INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY 
redis  3.5.3                python  CVE-2022-24735  High      
redis  3.5.3                python  CVE-2022-24736  Medium    
redis  3.5.3                python  CVE-2021-32672  Medium    
redis  3.5.3                python  CVE-2022-0543   Critical

Thanks!

spiffcs commented 2 years ago

We have a linked issue for this here and are tracking different internal ways we can start providing corrections for these FP. Grype recently added a new table into the db called vulnerability_match_exclusions which should be a good starting point to correct these moving forward. https://github.com/anchore/grype/issues/800