grype miss the vulnerable location about CVE-2022-22978

[moon2263]

What happened:

• grype scan to image which installed spring security and found CVE-2022-22978
  • .locations.Path = /path/to/spring-security-core-5.3.4.RELEASE.jar
• CVE-2022-22978 is caused by RegexRequestMatcher.class
  • https://spring.io/security/cve-2022-22978
• RegexRequestMatcher.class is located in spring-security-web-5.3.4.RELEASE.jar but grype only outputs spring-security-core as a path.
  • https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java

What you expected to happen:

• Output both of paths
  • /path/to/spring-security-core-5.3.4.RELEASE.jar
  • /path/to/spring-security-web-5.3.4.RELEASE.jar

How to reproduce it (as minimally and precisely as possible):

$ grype moon2263/test:springtest -o json --by-cve 

Anything else we need to know?: X

Environment:

• Output of grype version:

Application:         grype
Version:             0.81.0
BuildDate:           2024-09-25T12:56:24Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.23.1
Compiler:            gc
Syft Version:        v1.13.0
Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar): MAC 14.4,1

[westonsteimel]

That would need to be addressed by updating the GitHub security advisory record to include org.springframework.security:spring-security-web as a vulnerable component

[moon2263]

@westonsteimel
Oh, I understood. I'll request to that link. Thank you!

[westonsteimel]

If you'd like you can also edit it yourself at https://github.com/advisories/GHSA-hh32-7344-cg2f/improve and that will automatically create a PR to the GitHub team for review.