Grype confuses Ruby gems as other others type of packages and report false positive?

yudong commented 2 years ago

Is it possible that grype confuse following Rugy gems with other nodejs or rpm packages that contains CVE?

To reproduce the problem:

docker pull ruby:3.1.0-bullseye
syft packages docker:ruby:3.1.0-bullseye -o json > ./ruby.stock.json
cat ./ruby.stock.json | grype -o table | grep -E "Critical|High"

delegate 0.2.0 CVE-2005-0861 High json 2.6.1 CVE-2020-7712 High logger 1.5.0 CVE-2017-14727 High matrix 0.4.2 CVE-2017-14198 High observer 0.1.1 CVE-2008-4318 High openssl 3.0.0 CVE-2021-4044 High

Reading CVE details indicates the problems are rpm or nodejs packages. But JSON files seems to indicate they are Ruby gems. For example: json 2.6.1 CVE-2020-7712 High

I felt Ruby gems with same name and version got false positive here.

Can somebody confirm?

tgerla commented 2 years ago

Hi @yudong, sorry for the long delay replying to your issue. I just tried reproducing this issue and I believe it has been fixed in recent versions of syft and grype. I will mark this issue as closed, but if I have made a mistake or if this is still a problem for you, please feel free to re-open it and we will take another look. Thank you!

isuftin commented 2 years ago

@tgerla

I am actually seeing this today.

Application:          grype
Version:              0.47.0
Syft Version:         v0.54.0
BuildDate:            2022-08-17T20:00:45Z
GitCommit:            08b4ef493b36a65f6149c9092d083d5d57540cdc
GitDescription:       v0.47.0
Platform:             darwin/amd64
GoVersion:            go1.18.5
Compiler:             gc
Supported DB Schema:  4

NAME     INSTALLED  FIXED-IN                TYPE  VULNERABILITY   SEVERITY    
openssl  3.0.0      1.1.1q, 3.0.5           gem   CVE-2022-2097   High      
openssl  3.0.0      1.0.2                   gem   CVE-2021-4044   High      
openssl  3.0.0      3.0.2, 1.0.2zd, 1.1.1n  gem   CVE-2022-0778   High      
openssl  3.0.0      3.0.3                   gem   CVE-2022-1343   Medium    
openssl  3.0.0      3.0.3                   gem   CVE-2022-1473   High
openssl  3.0.0      3.0.4, 1.1.1p, 1.0.2zf  gem   CVE-2022-2068   Critical  
openssl  3.0.0      1.1.1m                  gem   CVE-2021-4160   Medium    
openssl  3.0.0      3.0.3, 1.0.2ze, 1.1.1o  gem   CVE-2022-1292   Critical  
openssl  3.0.0      3.0.3                   gem   CVE-2022-1434   Medium

Gemfile:

source 'https://rubygems.org' do
    gem 'cgi', '0.3.1'
    gem 'webrick', '1.7.0'
    gem 'cfn-nag', '0.8.10'
end

Gemfile.lock:

GEM                                                                                                                                                                                          [8/351]
  specs:

GEM
  remote: GEM                                                                                                                                                                                          [8/351]
  specs:

GEM
  remote: https://rubygems.org
  specs:
    aws-eventstream (1.2.0)
    aws-partitions (1.621.0)
    aws-sdk-core (3.134.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.525.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1, >= 1.6.1)
    aws-sdk-kms (1.58.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-s3 (1.114.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
    aws-sigv4 (1.5.1)
      aws-eventstream (~> 1, >= 1.0.2)
    cfn-model (0.6.6)
      kwalify (= 0.7.2)
      psych (~> 3)
    cfn-nag (0.8.10)
      aws-sdk-s3 (~> 1.76)
      cfn-model (= 0.6.6)
      lightly (~> 0.3.2)
      logging (~> 2.2.2)
      netaddr (~> 2.0.4)
      optimist (~> 3.0.0)
      rexml
    cgi (0.3.1)
    jmespath (1.6.1)
    kwalify (0.7.2)
    lightly (0.3.3)
    little-plugger (1.1.4)
    logging (2.2.2)
      little-plugger (~> 1.1)
      multi_json (~> 1.10)
    multi_json (1.15.0)
    netaddr (2.0.6)
    optimist (3.0.1)
    psych (3.3.2)
    rexml (3.2.5)
    webrick (1.7.0)

PLATFORMS
  x86_64-linux-musl
DEPENDENCIES
  cfn-nag (= 0.8.10)!
  cgi (= 0.3.1)!
  webrick (= 1.7.0)!

BUNDLED WITH
   2.3.14
  specs:
    aws-eventstream (1.2.0)
    aws-partitions (1.621.0)
    aws-sdk-core (3.134.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.525.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1, >= 1.6.1)
    aws-sdk-kms (1.58.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-s3 (1.114.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
    aws-sigv4 (1.5.1)
      aws-eventstream (~> 1, >= 1.0.2)
    cfn-model (0.6.6)
      kwalify (= 0.7.2)
      psych (~> 3)
    cfn-nag (0.8.10)
      aws-sdk-s3 (~> 1.76)
      cfn-model (= 0.6.6)
      lightly (~> 0.3.2)
      logging (~> 2.2.2)
      netaddr (~> 2.0.4)
      optimist (~> 3.0.0)
      rexml
    cgi (0.3.1)
    jmespath (1.6.1)
    kwalify (0.7.2)
    lightly (0.3.3)
    little-plugger (1.1.4)
    logging (2.2.2)
      little-plugger (~> 1.1)
      multi_json (~> 1.10)
    multi_json (1.15.0)
    netaddr (2.0.6)
    optimist (3.0.1)
    psych (3.3.2)
    rexml (3.2.5)
    webrick (1.7.0)

PLATFORMS
  x86_64-linux-musl
DEPENDENCIES
  cfn-nag (= 0.8.10)!
  cgi (= 0.3.1)!
  webrick (= 1.7.0)!

BUNDLED WITH
   2.3.14

tgerla commented 2 years ago

Thank you, we will take a look!

stevehipwell commented 1 year ago

I'm seeing this issue with the latest versions of Syft and Grype. I've listed some of the packages and the incorrect non-Ruby CVEs are below (see https://github.com/fluent/fluentd-aggregator-docker-image/pull/1/checks?check_run_id=9205092396 for more details).

hwo411 commented 1 year ago

We also experience this issue and it prevents us from integrating grype into our pipelines.

willmurphyscode commented 1 year ago

Hi @yudong, thanks for reporting this. I'm investigating it.

The only vulnerability from the original post that is still present in ruby:3.1.0-bullseye is:

CVE-2021-4044 from https://nvd.nist.gov/vuln/detail/CVE-2021-4044 matched artifact is: openssl - pkg:gem/openssl@3.0.0 match type is cpe-match CPEs

cpe:2.3:a:kazuki-yamaguchi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:kazuki_yamaguchi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:shibata-hiroshi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:shibata_hiroshi:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:martin-bosslet:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:martin_bosslet:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:zachary-scott:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:zachary_scott:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby_lang:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ruby:openssl:3.0.0:*:*:*:*:*:*:*

URLs:

https://nvd.nist.gov/vuln/detail/CVE-2021-4044 has cpe:2.3:a:openssl:openssl:3.0.0:*:*:*:*:*:*:* which matches cpe:2.3:a:openssl:openssl:3.0.0:*:*:*:*:*:*:*, but it seems like a coincidence that the ruby gem called openssl has the same name and version as the vulnerable package, which according to https://github.com/advisories/GHSA-mmjf-f5jw-w72q is https://crates.io/crates/openssl-src.

I'm applying a label indicating that this is likely a false positive caused by CPE matching; we hope to investigate and close this class of false positives.

tgerla commented 10 months ago

Hello, I believe the last false positive has been eliminated here, thanks to the recent change to CPE matching. (Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details.) I'll close this but as usual, please re-open if you are still seeing problems! Thanks.

anchore / grype

Grype confuses Ruby gems as other others type of packages and report false positive? #603