search

docker / scout-cli

Docker Scout CLI
https://docker.com/products/docker-scout
Other
252 stars 60 forks source link

Inconsistent purl mapping in SARIF output from CVE scan #47

Closed bm402 closed 9 months ago

bm402 commented 9 months ago

When an image contains two different versions of the same package (eg. guava@29.0-jre and guava@31.0-jre) that contain the same CVEs, and you run the following command:

docker scout cves --locations --format sarif --output report.json <image name>

the SARIF output will look something like the following (some properties omitted):

{
  "runs": [
    {
      "tool": {
        "driver": {
          "rules": [
            {
              "id": "CVE-2020-8908",
              "properties": {
                "purl": "pkg:maven/com.google.guava/guava@29.0-jre",
              }
            }
          ],
        },
      },
      "results": [
        {
          "ruleId": "CVE-2020-8908",
          "ruleIndex": 0,
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "/home/atcloud/.gradle/wrapper/dists/gradle-8.3-bin/dxjbbhstwasg8cbags9q7cvli/gradle-8.3-bin.zip:gradle-8.3/lib/guava-31.0-jre.jar"
                }
              }
            }
          ]
        },
        {
          "ruleId": "CVE-2020-8908",
          "ruleIndex": 0,
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "/home/atcloud/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-gradle-plugin/1.8.22/35314735f9b890dd8192307a3894e5556b08031e/kotlin-gradle-plugin-1.8.22-gradle76.jar:guava-29.0-jre"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

The issue is that the relationship between the rule (ie. CVE) and the purl is one-to-one in this output, when really a CVE can be present in more than one purl (in this case pkg:maven/com.google.guava/guava@29.0-jre and pkg:maven/com.google.guava/guava@31.0-jre).

The other problem is that the purl in the rule properties seems to be chosen at random leading to inconsistent results. In this example, when the scan is run multiple times, sometimes it picks guava@29.0-jre and other times it picks guava@31.0-jre. This inconsistency is exacerbated when the packages contain more than one CVE and some of the purls are one version, and others are the other version.

bm402 commented 9 months ago 
version: 0.24.1 (go1.21.0 - darwin/arm64)
git commit: 67cb4ef78bd69545af0e223ba5fb577b27094505