Closed yudong closed 10 months ago
Hi @yudong, sorry for the long delay replying to your issue. I just tried reproducing this issue and I believe it has been fixed in recent versions of syft and grype. I will mark this issue as closed, but if I have made a mistake or if this is still a problem for you, please feel free to re-open it and we will take another look. Thank you!
@tgerla
I am actually seeing this today.
Application: grype
Version: 0.47.0
Syft Version: v0.54.0
BuildDate: 2022-08-17T20:00:45Z
GitCommit: 08b4ef493b36a65f6149c9092d083d5d57540cdc
GitDescription: v0.47.0
Platform: darwin/amd64
GoVersion: go1.18.5
Compiler: gc
Supported DB Schema: 4
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
openssl 3.0.0 1.1.1q, 3.0.5 gem CVE-2022-2097 High
openssl 3.0.0 1.0.2 gem CVE-2021-4044 High
openssl 3.0.0 3.0.2, 1.0.2zd, 1.1.1n gem CVE-2022-0778 High
openssl 3.0.0 3.0.3 gem CVE-2022-1343 Medium
openssl 3.0.0 3.0.3 gem CVE-2022-1473 High
openssl 3.0.0 3.0.4, 1.1.1p, 1.0.2zf gem CVE-2022-2068 Critical
openssl 3.0.0 1.1.1m gem CVE-2021-4160 Medium
openssl 3.0.0 3.0.3, 1.0.2ze, 1.1.1o gem CVE-2022-1292 Critical
openssl 3.0.0 3.0.3 gem CVE-2022-1434 Medium
Gemfile:
source 'https://rubygems.org' do
gem 'cgi', '0.3.1'
gem 'webrick', '1.7.0'
gem 'cfn-nag', '0.8.10'
end
Gemfile.lock:
GEM [8/351]
specs:
GEM
remote: GEM [8/351]
specs:
GEM
remote: https://rubygems.org
specs:
aws-eventstream (1.2.0)
aws-partitions (1.621.0)
aws-sdk-core (3.134.0)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.525.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1, >= 1.6.1)
aws-sdk-kms (1.58.0)
aws-sdk-core (~> 3, >= 3.127.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.114.0)
aws-sdk-core (~> 3, >= 3.127.0)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.4)
aws-sigv4 (1.5.1)
aws-eventstream (~> 1, >= 1.0.2)
cfn-model (0.6.6)
kwalify (= 0.7.2)
psych (~> 3)
cfn-nag (0.8.10)
aws-sdk-s3 (~> 1.76)
cfn-model (= 0.6.6)
lightly (~> 0.3.2)
logging (~> 2.2.2)
netaddr (~> 2.0.4)
optimist (~> 3.0.0)
rexml
cgi (0.3.1)
jmespath (1.6.1)
kwalify (0.7.2)
lightly (0.3.3)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
multi_json (1.15.0)
netaddr (2.0.6)
optimist (3.0.1)
psych (3.3.2)
rexml (3.2.5)
webrick (1.7.0)
PLATFORMS
x86_64-linux-musl
DEPENDENCIES
cfn-nag (= 0.8.10)!
cgi (= 0.3.1)!
webrick (= 1.7.0)!
BUNDLED WITH
2.3.14
specs:
aws-eventstream (1.2.0)
aws-partitions (1.621.0)
aws-sdk-core (3.134.0)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.525.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1, >= 1.6.1)
aws-sdk-kms (1.58.0)
aws-sdk-core (~> 3, >= 3.127.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.114.0)
aws-sdk-core (~> 3, >= 3.127.0)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.4)
aws-sigv4 (1.5.1)
aws-eventstream (~> 1, >= 1.0.2)
cfn-model (0.6.6)
kwalify (= 0.7.2)
psych (~> 3)
cfn-nag (0.8.10)
aws-sdk-s3 (~> 1.76)
cfn-model (= 0.6.6)
lightly (~> 0.3.2)
logging (~> 2.2.2)
netaddr (~> 2.0.4)
optimist (~> 3.0.0)
rexml
cgi (0.3.1)
jmespath (1.6.1)
kwalify (0.7.2)
lightly (0.3.3)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
multi_json (1.15.0)
netaddr (2.0.6)
optimist (3.0.1)
psych (3.3.2)
rexml (3.2.5)
webrick (1.7.0)
PLATFORMS
x86_64-linux-musl
DEPENDENCIES
cfn-nag (= 0.8.10)!
cgi (= 0.3.1)!
webrick (= 1.7.0)!
BUNDLED WITH
2.3.14
Thank you, we will take a look!
I'm seeing this issue with the latest versions of Syft and Grype. I've listed some of the packages and the incorrect non-Ruby CVEs are below (see https://github.com/fluent/fluentd-aggregator-docker-image/pull/1/checks?check_run_id=9205092396 for more details).
We also experience this issue and it prevents us from integrating grype into our pipelines.
Hi @yudong, thanks for reporting this. I'm investigating it.
The only vulnerability from the original post that is still present in ruby:3.1.0-bullseye
is:
CVE-2021-4044 from https://nvd.nist.gov/vuln/detail/CVE-2021-4044 matched artifact is: openssl - pkg:gem/openssl@3.0.0 match type is cpe-match CPEs
cpe:2.3:a:kazuki-yamaguchi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:kazuki_yamaguchi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:shibata-hiroshi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:shibata_hiroshi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:martin-bosslet:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:martin_bosslet:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:zachary-scott:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:zachary_scott:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby_lang:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby:openssl:3.0.0:*:*:*:*:*:*:*
URLs:
https://nvd.nist.gov/vuln/detail/CVE-2021-4044 has cpe:2.3:a:openssl:openssl:3.0.0:*:*:*:*:*:*:*
which matches cpe:2.3:a:openssl:openssl:3.0.0:*:*:*:*:*:*:*
, but it seems like a coincidence that the ruby gem called openssl
has the same name and version as the vulnerable package, which according to https://github.com/advisories/GHSA-mmjf-f5jw-w72q is https://crates.io/crates/openssl-src.
I'm applying a label indicating that this is likely a false positive caused by CPE matching; we hope to investigate and close this class of false positives.
Hello, I believe the last false positive has been eliminated here, thanks to the recent change to CPE matching. (Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details.) I'll close this but as usual, please re-open if you are still seeing problems! Thanks.
Is it possible that grype confuse following Rugy gems with other nodejs or rpm packages that contains CVE?
To reproduce the problem:
delegate 0.2.0 CVE-2005-0861 High json 2.6.1 CVE-2020-7712 High logger 1.5.0 CVE-2017-14727 High matrix 0.4.2 CVE-2017-14198 High observer 0.1.1 CVE-2008-4318 High openssl 3.0.0 CVE-2021-4044 High
Reading CVE details indicates the problems are rpm or nodejs packages. But JSON files seems to indicate they are Ruby gems. For example: json 2.6.1 CVE-2020-7712 High
I felt Ruby gems with same name and version got false positive here.
Can somebody confirm?