Open xpicio opened 1 year ago
Hi @xpicio, sorry for the delay responding, and thank you for this report. I have reproduced it on my side. We will take a look a soon as we can, and get back to you if we need any more info. Thanks again!
Moved this over to our backlog for us to pickup when we have cycles - grype currently has a way where it does not use CPE for matching on debian packages (we use their official feed), but recognize that this CPE is incorrect. When this get's picked up we'll try to find a better way to generate this CPE.
All PR from the community are also welcome - tag me and I can help with the review if you want to take a stab at this =)
What happened: Running the command:
the CPE of the packages are generated with the pattern
cpe:2.3:a:PACKAGE_NAME:PACKAGE_NAME:VERSION:*:*:*:*:*:*:*
like thisIn this way software like dependency track are not able to detect the vulnerability. For example this vulnerability is not detected.
What you expected to happen: The CPE of the packages are generated with the pattern
cpe:2.3:a:VENDOR:PACKAGE_NAME:VERSION:*:*:*:*:*:*:*
like thisWhen the SBOM file will be imported on dependency track the vulnerability will be detected. I tried patching the VENDOR token with debian (instead of dpkg) and everything seems working well.
How to reproduce it (as minimally and precisely as possible): Simply run the command
and check the value of generated CPE.
Environment: