False positive on Akka artifact

[karthickm512]

What happened: Grype reported false positive CVE-2017-1000034 while the software being scanned does not have the impacted version of Akka

What you expected to happen: Expected CVE-2017-1000034 not being reported

How to reproduce it (as minimally and precisely as possible): Take a package that contains Akka 2.5.29 or so and scan with Grype

Anything else we need to know?: No

Environment:

• Output of grype version: 1.0.1
• OS (e.g: cat /etc/os-release or similar): SLES 15 SP3

[luhring]

Hi @karthickm512, thanks for the issue!

I'm not very familiar with Akka. I see there are several variants of Akka published currently. I tried scanning this JAR, but I don't see Grype reporting any vulnerabilities — https://mvnrepository.com/artifact/com.typesafe.akka/akka-actor_2.13/2.5.29.

Do you have any more information about how to find and install the software package you're referring to?

[karthickm512]

Attached the Grype finding that could show more info to you Grype-akka.txt

[karthickm512]

ping @luhring

[luhring]

Hi @karthickm512, thanks for the Grype output excerpt. I'd like to be able to reproduce this scan result. Do you have a container image I could use to do a Grype scan to see if I get the same result?

[karthickm512]

Hi, sorry the software/image is confidential. However, this could be reproduced if you include the artifact https://mvnrepository.com/artifact/com.typesafe.akka/akka-actor_2.12/2.5.29

[karthickm512]

@luhring

[karthickm512]

Hi, Any tentative timelines to fix this?

[tgerla]

Hi @karthickm512, thanks for the ping and sorry for the delay responding. Unfortunately I have the same thing to report as luhring; I cannot reproduce the issue. Would it be possible for you to create a simplified image without the confidential information that exhibits the problem? I tried to replicate it with a simple Dockerfile and it did not report any vulnerabilities:

tgerla@Timothys-MacBook-Pro-2 grype-626 % cat Dockerfile
FROM alpine:latest

RUN apk add curl
RUN curl -O https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.12/2.5.29/akka-actor_2.12-2.5.29.jar
tgerla@Timothys-MacBook-Pro-2 grype-626 % syft tgerla/grype-626
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [20 packages]
NAME                    VERSION      TYPE
akka-actor_2.12         2.5.29       java-archive
alpine-baselayout       3.2.0-r22    apk
alpine-baselayout-data  3.2.0-r22    apk
alpine-keys             2.4-r1       apk
apk-tools               2.12.9-r3    apk
brotli-libs             1.0.9-r6     apk
busybox                 1.35.0-r17   apk
ca-certificates         20220614-r0  apk
ca-certificates-bundle  20220614-r0  apk
curl                    7.83.1-r3    apk
libc-utils              0.7.2-r3     apk
libcrypto1.1            1.1.1q-r0    apk
libcurl                 7.83.1-r3    apk
libssl1.1               1.1.1q-r0    apk
musl                    1.2.3-r0     apk
musl-utils              1.2.3-r0     apk
nghttp2-libs            1.47.0-r0    apk
scanelf                 1.3.4-r0     apk
ssl_client              1.35.0-r17   apk
zlib                    1.2.12-r3    apk
tgerla@Timothys-MacBook-Pro-2 grype-626 % grype tgerla/grype-626
 ✔ Vulnerability DB        [no update available]
New version of grype is available: 0.50.2 (currently running: 0.50.1)
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [20 packages]
 ✔ Scanned image           [0 vulnerabilities]
No vulnerabilities found
tgerla@Timothys-MacBook-Pro-2 grype-626 %

[karthickm512]

Hi,

Created a dummy docker file that packs a component named Akka configurator version 2. It has no relevance to the com.typesafe Akka on which CVE is reported. Attached it for your testing. Akka-CVE.zip

When we scanned this dummy file, we Grype flagged it with CVE

✔ 10:35 /tmp/grype $ grype repro-grype ✔ Vulnerability DB [no update available] ✔ Loaded image
✔ Parsed image
✔ Cataloged packages [15 packages] ✔ Scanned image [1 vulnerabilities] NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY example 1.172.0 java-archive CVE-2017-1000034 High

@tgerla Hope this helps

[tgerla]

Hi @karthickm512, thank you. This does help. I have chatted with the team and I believe we understand the issue here, it is a known shortcoming with our CPE generation as it relates to Java packages and the data sources that we draw from to find vulnerabilities. We are working on a fix for this but we don't have a timeline at the moment. We'll update this ticket when we are able. Please feel free to stop into the Anchore Slack if you want to discuss it in further detail or need more help.

[tgerla]

I will go ahead and close this issue because it should be fixed by our recent switch to the GHSA database for some vulnerability matches. Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details. If you have any more problems, feel free to re-open or open a new issue!