not showing poco CVEs from syft generated sbom #1737
Labels
bug
Something isn't working
Comments
|
We experienced the same issue with {
"type": "library",
"bom-ref": "pkg:conan/zlib@1.3%2306023034579559bb64357db3a53f88a4?package-id=d2a08f1cc3405bb7",
"name": "zlib",
"version": "1.3#06023034579559bb64357db3a53f88a4",
"cpe": "cpe:2.3:a:zlib:zlib:1.3\\#06023034579559bb64357db3a53f88a4:*:*:*:*:*:*:*",
"purl": "pkg:conan/zlib@1.3%2306023034579559bb64357db3a53f88a4",env: Application: grype
Version: 0.74.7
BuildDate: 2024-02-26T18:24:14Z
GitCommit: 987238519b8d6e302130ab715f20daed6634da68
GitDescription: v0.74.7
Platform: linux/amd64
GoVersion: go1.21.7
Compiler: gc
Syft Version: v0.105.1
Supported DB Schema: 5
$ grype db status
Built: 2024-03-04 01:24:54 +0000 UTC
Schema: 5
Checksum: sha256:cbd02283db12e98c1a58ea491eea2cc2b8153da6c2bc65f769ec2831c22c4a45
Status: valid |
|
For me at least with zlib 1.2.12, grype gives me: Here's my whole zlib entry |
|
That's right, the CVE-2023-45853 affects both version zlib/1.2.x and zlib/1.3.0. |
|
Hi @d3matt and @MinhTriet-Ly, thank you for the report. We'll take a look and see why. Stay tuned! |
|
Hi @d3matt, can you share the full SBOM you are scanning? Or at least the full record for the poco record in JSON format? I I don't think we quite have enough info to reproduce. @MinhTriet-Ly, your issue is a separate problem. Could you open a separate issue and attach the full Conan lock file (or a subset that will allow us to reproduce the problem), and we will look into it? We do see a problem with the generated CPE in your case, but we will need to see a full lockfile to reproduce. Thank you both! |
|
Here's my whole poco record from the syft generated sbom |
|
I think the problem here is that the CPE that we generate for this package is I am not sure why that is or the exact route to fix it, but I will check with the team. @d3matt, it might be helpful if we had a conan.lock that could reproduce this problem. Do you have one you can give us? Thanks! |
|
Sorry for the late response. I was able to reproduce the problem with a minimal example: https://github.com/MinhTriet-Ly/demo_syft_grype
# old syft version that we use 0.87.1
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b ~/tmp v0.87.1
# current latest v1.0.1
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
# install current latest grype 0.74.7
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
# v0.87.1
~/tmp/syft packages dir:${HOME}/proj/demo_syft_grype/build --scope=AllLayers --catalogers=conan --source-name=demo --output cyclonedx-json=syft-old.json
grype -o json sbom:syft-old.json > grype-old.json
# v1.0.1
syft scan dir:${HOME}/proj/demo_zlib/build --scope=AllLayers --select-catalogers=conan --source-name=demo --output cyclonedx-json=syft-new.json
grype -o json sbom:syft-new.json > grype-new.jsonThe old version |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
What happened:
I'm using syft to generate an sbom from a conan lockfile that grype can parse. Grype is definitely showing CVEs for other packages, but is not showing a known CVE for poco version 1.12.2.
What you expected to happen:
I expected grype to show CVE-2023-52389. I did a strings on the latest vulnerability db and it definitely has entries for that CVE.
How to reproduce it (as minimally and precisely as possible):
Have a sbom with a poco artifact, I think below is enough, scan it with grype sbom:path/to/file, verify that CVE-2023-52389 is not listed
Anything else we need to know?:
Environment:
grype version:cat /etc/os-releaseor similar):The text was updated successfully, but these errors were encountered: