Open mar1ged opened 2 years ago
Thanks for filing this bug @mar1ged. I'll get a windows box turned on and see what I can do to reproduce this. Do you have the test files pushed to any public repository so I can be sure we're working off the same inputs?
Hey @mar1ged out of an abundance of caution I deleted your last comment to make sure that IF there was anything within that uploaded content that was potentially harmful it would not be available on the issue history here. Apologies in advance if it was a totally harmless zip file.
If the test files are private and internal-only let me see if we can find a way to resolve and replicate this issue. If I am unsuccesful on my machine I will DM you and we can work from there.
Thanks again!
I'm fine with that.
I don't consider the provided as harmful because it only contains a library that by itself can't do anything. I didn't put a self executing virus inside the archive ;-)
What happened:
I get this output:
What you expected to happen:
I would have have expected that grype detects my known vulnerable files in the testfiles folder.
How to reproduce it (as minimally and precisely as possible):
I have the vulnerability db in the folder named
vulndb
. Belowtestfiles
I stored two files which contain the log4j vulnerability.Anything else we need to know?:
The same version of grype, on the same set of testfiles and locally provided offline vulndb, works on the same machine. I tested this on the WSL2 in order to have a Linux environment and here grype works as expected:
Environment:
grype version
:Application: grype Version: 0.31.1 Syft Version: v0.35.1 BuildDate: 2022-01-11T16:17:38Z GitCommit: 24ef03efc4f2a5530dc458ae15f438233e730c1d GitTreeState: clean Platform: windows/amd64 GoVersion: go1.16.12 Compiler: gc Supported DB Schema: 3
cat /etc/os-release
or similar): This fails on Windows 10 Enterprise 20H2 (Version 10.0.19042.1348) and a clean VM with Windows 10 Pro 21H2 (Version 10.0.19044.1466, which I installed to make sure this isn't an issue with my company machine)