OfriOuzan
commented
2 years ago We encountered the same issue on the following environment
What happened:
In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives.
What you expected to happen:
We expected Grype not to report on these CVEs.
How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>
- Output of
grype version: Application: grype Version: 0.41.0 Syft Version: v0.50.0 BuildDate: 2022-07-06T15:20:18Z GitCommit: 0e0a9d9e7a28592db489499db0294608e5fe69b8 GitDescription: v0.41.0 Platform: linux/amd64 GoVersion: go1.18.3 Compiler: gc Supported DB Schema: 4
Ghost
-
Container Details: https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore
-
OS (e.g:
cat /etc/os-release): PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" -
CVEs CVE-2017-18589 Grype wrongly identified CVE-2017-18589 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/cookie/package.json The cookie package version is 0.4.2 However, according to the debian website, the vulnerability is related to rust-cookie and it does not have a version in bullseye.
Kibana
-
Container Details: https://hub.docker.com/layers/kibana/library/kibana/8.3.2/images/sha256-51635619b14a0f3a764f39c4c51d527304d8c33fbda05d72652b18255639122b?context=explore
-
OS (e.g:
cat /etc/os-release): NAME="Ubuntu" VERSION="20.04.4 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.4 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal -
CVEs CVE-2017-18589 Grype wrongly identified CVE-2017-18589 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/cookie/package.json The cookie package version is 0.4.2 However, according to the debian website, the vulnerability is related to rust-cookie and it does not have a version in bullseye.
willmurphyscode
What happened: This issue I've previously reported more than a year ago on https://github.com/anchore/anchore-engine/issues/606 when it wasn't using grype, but now I can reproduce it using grype as well.
I've been scanning images with grype and there have been some false positives for the npm packages.
What you expected to happen: Non-npm related CVEs to be ignored for npm packages.
How to reproduce it (as minimally and precisely as possible): I've built 2 images specially to reproduce this issue: https://hub.docker.com/repository/docker/stefancenusa/normal-pancake
The base tag is only a republish of node:12.18.3-slim. The 1.0.1 tags starts from the base tag and adds a few npm packages I've notice to trigger FPs.
All the vulnerabilities in the "base" image are ok since the image is old.
Now, the
1.0.1tag after I've only installed a few npm modules:Here, there are multiple FPs:
mongodbandredisvulnerabilities are actually for the servers (see CVEs description), not the npm packages - which are clients for those two databases.cookiepackage is actually a CVE for a rust crate, not a npm package - https://nvd.nist.gov/vuln/detail/CVE-2017-18589Unfortunately, these FPs are a real pain when scanning all running images from multiple kubernetes clusters. You end up with hundreds of High or Critical vulnerabilities triggered by these client libs of redis/mongodb. Also, the cookie module is widely used across nodejs web apps.
Anything else we need to know?:
Environment: