Closed OfriOuzan closed 10 months ago
Thanks for these reports @OfriOuzan! This is going to be extremely helpful for something we should have ready shortly to track grype matching quality against a labeled set of true-positive
and false-positive
matches across a variety of images. Specifically the labelling data correlates to specific image shas, so including those in your report is perfect for helping us extend that data set!
Hi, attaching a few more misidentified CVEs from the same research we believe we misidentified for different reasons:
What happened: In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives. In this comment we have tried to highlight misidentification stemming from reasons unrelated to CPE mismatches.
What you expected to happen: We expected Grype not to have these mismatches.
How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>
Output of grype version
:
Application: grype
Version: 0.41.0
Syft Version: v0.50.0
BuildDate: 2022-07-06T15:20:18Z
GitCommit: 0e0a9d9e7a28592db489499db0294608e5fe69b8
GitDescription: v0.41.0
Platform: linux/amd64
GoVersion: go1.18.3
Compiler: gc
Supported DB Schema: 4
Examples include:
93 cves
In the following container images:
Drupal
NextCloud
Wordpress
Grype wrongly associated linux-libc-dev
with CVEs affecting the linux kernel. Some of
the vulnerabilities identified are associated with a much older kernel version the the
linux-libc-dev
does not contain the relevant code for the identified vulnerabilities. In fact, it only contains header files.
Even if it did, flagging kernel vulnerabilities from within containers doesn’t really serve a purpose for the user since the kernel version relevant for kernel vulnerabilities should be the external kernel version (the one running on the host). Even in the rare case in which the linux-libc-dev
or linux-libc
version on the container matches the kernel version on the host, upgrading libc on the container will not solve the problem as the libc code that will be used as part of the normal container operation will be the libc version of the host.CVE-2021-38561 Grype did not identify CVE-2021-38561 as vulnerable. According to https://pkg.go.dev/vuln/GO-2021-0113 the affected golang.org/x/text/language versions are 0.3.7 and earlier. The found dependency is: golang.org/x/text dependency version 0.3.6 in the consul elf file. dep golang.org/x/text v0.3.6
CVE-2020-8565 Grype did not identify CVE-2020-8565 as vulnerable. According to https://pkg.go.dev/vuln/GO-2021-0064 the affected k8s.io/client-go/transport versions are v0.20.0-alpha.2 and earlier. The found dependency is: k8s.io/client-go dependency version 0.18.2 in the consul elf file. dep k8s.io/client-go v0.18.2
CVE-2022-21698 Grype did not identify CVE-2022-21698 as vulnerable. According to https://pkg.go.dev/vuln/GO-2022-0322 the affected package is github.com/prometheus/client_golang/prometheus/promhttp and the affected versions are v1.11.1 and earlier. The identified dependency is: github.com/prometheus/client_golang in the consul file with the v1.4.0 version. dep github.com/prometheus/client_golang v1.4.0
CVE-2022-28948 Grype did not identify CVE-2022-28948 as vulnerable. According to NVD, affected versions are all Go-Yaml v3. According to https://pkg.go.dev/vuln/ the affected package is gopkg.in/yaml.v3, affected versions range is: from v3.0.0 before v3.0.1. The found dependency is: gopkg.in/yaml.v3 dependency version v3.0.0-20200313102051-9f266ea9e77c in the consul elf file. dep gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c. According to this website, the patch deployed on the 3.0.0 version, means that every other version of 3.0.0 (for example v3.0.0-20200313102051-9f266ea9e77c) is affected by the vulnerability.
CVE-2021-20066 Grype wrongly identified CVE-2021-20066 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/jsdom/package.json The jsdom package version is 18.1.1 However, according to the debian website, the vulnerability is disputed by the upstream.
CVE-2022-32210
Grype did not identify CVE-2022-32210 as vulnerable.
The identified path is:
/var/lib/ghost/versions/5.2.4/node_modules/undici/package.json
The undici package version is 5.4.0
Affected versions: From (including) 4.8.2 Up to (excluding) 5.5.1
CVE-2017-16137
Grype did not identify CVE-2017-16137 as vulnerable.
The identified path is:
/var/lib/ghost/versions/5.2.4/node_modules/brute-knex/node_modules/debug/package.json
The debug package version is 4.1.1
According to NVD , the vulnerability affected versions are from (including) 2.0.0 up to (excluding) 2.6.9 and From (including) 3.0.0 Up to (excluding) 3.1.0
The debug versions I found on the container are: 0.1.17, 2.6.9, 3.1.0, 3.2.7, 4.1.1, 4.3.4
However, according to this link, the vulnerability that was fixed in the f53962e was accidentally introduced in 7116906.
So, the updated affected versions range is from (including) 2.0.0 up to (excluding) 2.6.9, from (including) 3.0.0 up to (excluding) 3.1.0, and from (including) 4.0.0 up to (excluding) 4.3.1.
CVE-2022-2191 Grype wrongly identified jetty CVE-2022-2191 as vulnerable. The actual version they both found is 9.4.46.v20220331, the affected versions are From (including) 10.0.0 Up to (including) 10.0.9 and from (including) 11.0.0 up to (including) 11.0.9. The version is not within the affected range. Also, according to this link, a contributor of jetty project mentioned that jetty versions 9.x are not affected by this vulnerability.
CVE-2012-5783 Grype did not identify commons-httpclient CVE-2012-5783 as vulnerable. The actual version found is 3.1: /var/jenkins_home/war/WEB-INF/lib/commons-httpclient-3.1-jenkins-3.jar Affected versions are up to 3.1-10.1. The version is within the affected range.
CVE-2022-32210 Grype did not identify CVE-2022-32210 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/undici/package.json The undici package version is 4.14.1 Affected versions: from (including) 4.8.2 up to (excluding) 5.5.1
CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32223 Grype did not identify the following cves as vulnerable: CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32223. I found this file /usr/share/kibana/node/bin/node and when executing the path with -v it prints the 16.14.2 version. Then we found on the docker file the following command: COPY /usr/share/kibana /usr/share/kibana.
CVE-2020-3810
Grype did not identify CVE-2020-3810 as vulnerable.
The affected package is apt and the version identified is: 2.0.9.
According to NVD, the affected versions are: up to (excluding) 2.1.2.
According to Ubuntu, the fixed version for focal distribution is: 2.0.2ubuntu0.1.
The actual version is 2.0.9.
The fixed commit in apt
lists the fixed versions and 2.0.9 is not one of them.
CVE-2022-24769 Grype did not identify the runc CVE-2022-24769 as vulnerable. The runc CVE-2022-24769 affected versions are: Up to (excluding) 1.1.2, fixed 1.6.6~ds1-1. https://githubrecord.com/issue/tianon/gosu/109/1137647723 Using strings on the gosu elf file, we found that the file has a dependency of runc version 1.0.1. It is strange that Grype which identified runc vulnerabilities did not identify these ones.
CVE-2022-24823 Grype did not identify netty CVE-2022-24823 as vulnerable. According to NVD, affected netty versions areUp to (excluding) 4.1.77. Actual version: 4.1.68.Final According to ubuntu:Jammy - Needs triage.
CVE-2021-42377 Grype did not identify CVE-2021-42377 as vulnerable. The affected busybox versions range is: 1.33.0 and 1.33.1. According to NVD, the affected cpe is: cpe:2.3:a:busybox:busybox:1.33.1:::::::* The actual version is: 1.33.1-r7.
CVE-2022-21476 Grype did not identify CVE-2022-21476 as vulnerable. The ncurses-libs affected versions range for Alpine 3.14 is: Up to (excluding) 6.2_p20210612-r1. The actual version is: 6.2_p20210612-r0.
CVE-2022-28506 Grype did not identify CVE-2022-28506 as vulnerable. The giflib affected version is: 5.2.1 vulnerable. The actual version is: 5.2.1-r0.
CVE-2022-29458 Grype did not identify CVE-2022-29458 as vulnerable. The ncurses-libs affected version is: 6.3 before patch 20220416. The actual version is: 6.2_p20210612-r0.
CVE-2020-28491 Grype did not identify CVE-2020-28491 as vulnerable. The jackson-dataformats-binary affected version is: Up to (excluding) 2.11.4. The actual version is: 2.10.4.
CVE-2022-2068 Grype did not identify CVE-2022-2068 as vulnerable. The openssl affected versions range is: From (including) 1.1.1 Up to (excluding) 1.1.1p. The actual version is: 1.1-1.1.1n-r0. According to security alpine and the alpine secdb, we assume that all openssl versions of Alpine 3.14 are affected by the vulnerability.
CVE-2022-21476, CVE-2022-21496, CVE-2022-21426, CVE-2022-21434, CVE-2022-21443 Grype did not identify CVE-2022-21476, CVE-2022-21496, CVE-2022-21426, CVE-2022-21434, CVE-2022-21443 as vulnerable. The actual version is: 11.0.14_p9-r0. According to the Alpine security advisory, the cpe for 11.0.14 is: cpe:2.3:a:oracle:jre:11.0.14:::::::* Means that all versions of 11.0.14 are affected by these vulnerabilities.
CVE-2021-42376, CVE-2021-42379, CVE-2021-42373, CVE-2021-42381, CVE-2021-42382, CVE-2021-42374, CVE-2021-42386, CVE-2021-42384, CVE-2021-42383, CVE-2021-42385, CVE-2021-42380, CVE-2021-42378, CVE-2022-28391, CVE-2021-42375. Grype did not identify cves as vulnerable: CVE-2021-42376, CVE-2021-42379, CVE-2021-42373, CVE-2021-42381, CVE-2021-42382, CVE-2021-42374, CVE-2021-42386, CVE-2021-42384, CVE-2021-42383, CVE-2021-42385, CVE-2021-42380, CVE-2021-42378, CVE-2022-28391, CVE-2021-42375. According to NVD affected busybox versions range is: From (including) 1.16.0.Up to (excluding) 1.34.0. According to this website: https://security.alpinelinux.org/srcpkg/busybox One of the resolved cves for the Alpine 1.14 busybox 1.33.1-r8 version is CVE-2021-42376. The actual version is: 1.33.1-r7
CVE-2020-0478 Grype did not identify CVE-2020-0478 as vulnerable. The affected package is: aom. The affected version range: bullseye - 1.0.0.errata1-3 vulnerable The actual version is: 1.0.0.errata1-3.
CVE-2022-27191 Grype did not identify CVE-2022-27191 as vulnerable. According to https://pkg.go.dev/vuln/GO-2021-0356, affected package is golang.org/x/crypto/ssh affected versions are Up to (excluding) 0.0.0-20220314234659-1baeb1ce4c0b. The found dependency is: golang.org/x/crypto dependency version v0.0.0-20210513164829-c07d793c2f9a in the consul elf file. dep golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a crypto uses an ssh version from May 2021 which is before March 2022.
The Containers used in the research were:
This class of problems should be fixed now that we have adjusted our vulnerability matching method as described here: https://anchore.com/blog/say-goodbye-to-false-positives/ -- I'll go ahead and close this issue but please feel free to re-open if you find more false positives, or if this one is still affecting your images. Thanks!
What happened: In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives. What you expected to happen: We expected Grype not to report on these CVEs. How to reproduce it (as minimally and precisely as possible): Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>
grype version
: Application: grype Version: 0.41.0 Syft Version: v0.50.0 BuildDate: 2022-07-06T15:20:18Z GitCommit: 0e0a9d9e7a28592db489499db0294608e5fe69b8 GitDescription: v0.41.0 Platform: linux/amd64 GoVersion: go1.18.3 Compiler: gc Supported DB Schema: 4Cases
#1 - Ghost
Container Details: https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore
OS (e.g:
cat /etc/os-release
): PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"CVEs CVE-1999-0082 Grype wrongly identified CVE-1999-0082 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json The ftp npm package version is 0.3.10. However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftpd service and not the ftp npm package). CVE-1999-0201 Grype wrongly identified CVE-1999-0201 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json The ftp npm package version is 0.3.10. However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftp server and not the ftp npm package). CVE-2004-2761 Grype wrongly identified CVE-2004-2761 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/md5/package.json" The md5 npm package version is 2.3.0 However, according to the debian website, this is a general MD5 weakness, and doesn't need to be tracked package-wise. CVE-2006-1611 Grype wrongly identified CVE-2006-1611 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/archiver/package.json The archiver npm package version is 5.3.1 However, according to the debian website, the vulnerability is related to the KGB Archiver. CVE-2015-9529 Grype wrongly identified CVE-2015-9529 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/stripe/package.json The stripe package version is 8.215.0 However, according to the debian website, the vulnerability is related to the Stripe WordPress plugin. CVE-2019-10743 Grype wrongly identified CVE-2019-10743 as vulnerable. The path it identified is: /usr/local/lib/node_modules/ghost-cli/node_modules/archiver/package.json The archiver package version is 5.3.1 However, according to the debian website, the vulnerability is not connected to debian (NOT-FOR-US). CVE-2021-24478 Grype wrongly identified CVE-2021-24478 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/bookshelf/package.json The bookshelf package version is 1.2.0 However, according to the debian website (and NVD), the vulnerability is the bookshelf Wordpress plugin CVE-2021-29940 Grype wrongly identified CVE-2021-29940 as vulnerable. The path it identified is: /usr/local/lib/node_modules/ghost-cli/node_modules/through/package.json The opener package version is 2.3.8 However, according to the debian website, the vulnerability is related to the Rust crate through
#2 - Jenkins
Container Details: https://hub.docker.com/layers/jenkins/jenkins/2.358/images/sha256-01600c1acde3391286945f775f2e5b2366f9b96fbe012a3ffa5159073c0c6392?context=explore
OS (e.g:
cat /etc/os-release
): PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"CVEs CVE-2018-1000052 Grype wrongly identified fmtlib CVE-2018-1000052 as vulnerable. There is no fmtlib package in the container, however, there is a commons-jelly-tags-fmt file that has 1.0 version and Grype was mistaken because it leaning on the cpe "cpe:2.3:a:fmt:fmt::::::::" According to this link, commons-jelly-tags-fmt does not have versions in use that are higher than 1.0.0.
#3 - Kibana
Container Details: https://hub.docker.com/layers/kibana/library/kibana/8.3.2/images/sha256-51635619b14a0f3a764f39c4c51d527304d8c33fbda05d72652b18255639122b?context=explore
OS (e.g:
cat /etc/os-release
): NAME="Ubuntu" VERSION="20.04.4 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.4 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focalCVEs CVE-2006-1611 Grype wrongly identified CVE-2006-1611 as vulnerable. The path it identified is: /var/lib/ghost/versions/5.2.4/node_modules/archiver/package.json The archiver npm package version is 5.3.1 However, according to the debian website, the vulnerability is related to the KGB Archiver. CVE-2019-10743 Grype wrongly identified CVE-2019-10743 as vulnerable. The path it identified is: /usr/local/lib/node_modules/ghost-cli/node_modules/archiver/package.json The archiver package version is 5.3.1 However, according to the debian website, the vulnerability is not connected to debian (NOT-FOR-US). CVE-2020-10743 Grype wrongly identified CVE-2020-10743 as vulnerable. The path it identified is: /usr/share/kibana/package.json However, according to the https://www.cve.org/CVERecord?id=CVE-2020-10743 website, the vulnerability is not related to the kibana npm package. CVE-2021-29940 Grype wrongly identified CVE-2021-29940 as vulnerable. The path it identified is: /usr/local/lib/node_modules/ghost-cli/node_modules/through/package.json The opener package version is 2.3.8 However, according to the debian website, the vulnerability is related to the ‘Rust crate through’ package CVE-2022-0323 Grype was the only one that correctly identified CVE-2022-0323 as vulnerable. The path it identified is: /usr/share/kibana/node_modules/mustache/package.json The mustache npm package version is 2.3.2 Affected versions: Up to (Excluding) 2.14.1 However, according to nvd and snyk the affected mustache package is a composer php package and not npm.
#4 - Neo4j
Container Details: https://hub.docker.com/layers/library/neo4j/4.4.8/images/sha256-d7cb5bde33a15197f45ca2f8a701de059c9e33cc6b59a7d7a02c180462ea98c0?context=explore
OS (e.g:
cat /etc/os-release
): PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"CVEs CVE-2020-35864 Grype wrongly identified CVE-2020-35864 as vulnerable. According to the Debian website: NOT-FOR-US: flatbuffers rust crate. According to Snyk vulnerability, the package is related to cargo.
#5 - Solr
Container Details: https://hub.docker.com/layers/library/solr/9.0.0/images/sha256-a75d693dcc9b978f8f35cdad3f775ad09dd3020e1920871a1fb167655a19e888?context=explore
OS (e.g:
cat /etc/os-release
): PRETTY_NAME="Ubuntu 22.04 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammyCVEs CVE-2013-2192, CVE-2015-7430, CVE-2016-5001, CVE-2017-3161, CVE-2017-3162 Grype wrongly identified hadoop CVE-2013-2192, CVE-2015-7430, CVE-2016-5001, CVE-2017-3161, CVE-2017-3162 as vulnerable. Grype finds the hadoop version as: 1.1.1. According to ubuntu: This CVE does not apply to software in Ubuntu archives. I could not find any results for this cve on snyk vulnerabilities db website. CVE-2015-4035 Grype identified java xz CVE-2015-4035 as vulnerable. Affected versions are: Up to (including) 4.999.9beta. Grype finds the following path: /opt/solr-9.0.0/modules/extraction/lib/xz-1.9.jar, the content of the: /opt/solr-9.0.0/licenses/xz-NOTICE.txt Contains the following: XZ for Java 1.0 (2011-10-22) http://tukaani.org/xz/java.html According to nvd affected cpes are: cpe:2.3:a:tukaani:xz::beta::::::* The vulnerability is a maven vulnerability and when I searched on snyk vulnerability db, I found that the 1.9 version is not affected by any vulnerability. According to this link, the 1.9 version is the last version of the package that exists on the container. According to a closed issue in dependency check tool: There is a false positive for Tukaani XZ: xz-1.8.jar (cpe:/a:tukaani:xz:1.8, org.tukaani:xz:1.8) : CVE-2015-4035 The CVE refers to Tukaani itself. But org.tukaani.xz is a Java library that has a separate versioning system (https://tukaani.org/xz/java.html). CVE-2022-25647 Grype wrongly identified com.google.code.gson:gson CVE-2022-25647 as vulnerable. According to nvd, affected com.google.code.gson:gson versions are Up to (excluding) 2.8.9. Actual version: 2.8.9 The path I found is: /opt/solr-9.0.0/modules/extraction/lib/gson-2.8.9.jar When I extracted the file i found the following pom.xml file: META-INF/maven/com.google.code.gson/gson/pom.xml That contains the following strings:
The path grype identify is: "/opt/solr-9.0.0/modules/gcs-repository/lib/google-http-client-gson-1.41.0.jar" Then, wrongly compares the identifying path with the affected versions. According to this link, the 1.41.0 is not one of the gson package versions.
#6 - Sonarqube
Container Details: https://hub.docker.com/layers/library/sonarqube/9.5.0-community/images/sha256-2f102e5b91abb39db22da3d2efca1eaccdd919923355b6e42edc3c522e3aa235?context=explore
OS (e.g:
cat /etc/os-release
): NAME="Alpine Linux" ID=alpine VERSION_ID=3.14.6 PRETTY_NAME="Alpine Linux v3.14" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"CVEs 326 cves Grype wrongly identified maven php vulnerabilities as vulnerable. The path it identified is: pkg:maven/org.sonarsource.php/php-checks@3.23.1.8766 The php maven version is 3.23.1.8766. However, I only see that these vulnerabilities are connected to php and not to the maven php, I searched for results in snyk vulnerabilities db and did not find any connection to maven. Another thing, according to my searches, there is no php 3.23.1.8766 version. (For example: CVE-2002-2215 CVE-2003-0442 CVE-2004-0542 CVE-2004-0958 CVE-2004-0959 CVE-2004-1018 CVE-2006-3011 CVE-2006-3017 CVE-2006-5178 CVE-2006-5465 CVE-2006-5706 CVE-2006-7243)