Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Likely false positives for erlang otp #2344

Open
sameerkattel opened this issue Dec 19, 2024 · 2 comments
Open

Likely false positives for erlang otp #2344

sameerkattel opened this issue Dec 19, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@sameerkattel
Copy link

What happened:
Running grype against https://www.erlang.org/patches/otp-27.2 reporting very old CVEs


C:\Users\Sameer>grype "C:\Program Files\Erlang OTP"
 ✔ Indexed file system                                                                     C:\Program Files\Erlang OTP
 ✔ Cataloged contents                                 3547a8c35fbcce10e0dcb305ff94600917e6a76ea3fc8010f92f84090e91d719
   ├── ✔ Packages                        [40 packages]
   ├── ✔ File digests                    [0 files]
   ├── ✔ File metadata                   [0 locations]
   └── ✔ Executables                     [0 executables]
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 3 high, 3 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 6 not-fixed, 0 ignored
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which
NAME  INSTALLED  FIXED-IN  TYPE        VULNERABILITY  SEVERITY
ftp   1.2.3                erlang-otp  CVE-1999-0082  High
ftp   1.2.3                erlang-otp  CVE-1999-0201  Medium
snmp  5.18                 erlang-otp  CVE-2002-0013  High
snmp  5.18                 erlang-otp  CVE-2002-0012  High
snmp  5.18                 erlang-otp  CVE-1999-0472  Medium
tftp  1.2.1                erlang-otp  CVE-1999-0183  Medium

What you expected to happen:
no vulnerabilities linked to very old CVEs

How to reproduce it (as minimally and precisely as possible):
run
grype against otp 27.2 installation

Anything else we need to know?:

Environment:

  • Output of grype version:
    grype 0.86.1

  • OS (e.g: cat /etc/os-release or similar):
    windows 11

@sameerkattel sameerkattel added the bug Something isn't working label Dec 19, 2024
@popey
Copy link
Contributor

popey commented Dec 19, 2024

Hi @sameerkattel - thanks very much for the issue report and the details required for me to reproduce it, which I have here.

$ wget https://github.com/erlang/otp/releases/download/OTP-27.2/otp_win64_27.2.zip
$ unzip otp_win64_27.2.zip
$ syft . -o syft-json=erlang-otp.json
 ✔ Indexed file system .
 ✔ Cataloged contents cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   ├── ✔ Packages                        [41 packages]
   ├── ✔ File digests                    [41 files]
   ├── ✔ File metadata                   [41 locations]
   └── ✔ Executables                     [41 executables]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
$ grype erlang-otp.json
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 3 high, 3 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 6 not-fixed, 0 ignored
NAME  INSTALLED  FIXED-IN  TYPE        VULNERABILITY  SEVERITY
ftp   1.2.3                erlang-otp  CVE-1999-0082  High
ftp   1.2.3                erlang-otp  CVE-1999-0201  Medium
snmp  5.18                 erlang-otp  CVE-2002-0013  High
snmp  5.18                 erlang-otp  CVE-2002-0012  High
snmp  5.18                 erlang-otp  CVE-1999-0472  Medium
tftp  1.2.1                erlang-otp  CVE-1999-0183  Medium

It looks like we're erroneously detecting the plain text files lib/ftp-1.2.3/ebin/ftp.app, lib/snmp-5.18/ebin/snmp.app, and lib/tftp-1.2.1/ebin/tftp.app as applications, which they clearly aren't.

file lib/ftp-1.2.3/ebin/ftp.app lib/snmp-5.18/ebin/snmp.app lib/tftp-1.2.1/ebin/tftp.app
lib/ftp-1.2.3/ebin/ftp.app:   ASCII text
lib/snmp-5.18/ebin/snmp.app:  ASCII text
lib/tftp-1.2.1/ebin/tftp.app: ASCII text

Is this a cpe match fail, perhaps?

[0001] DEBUG no vulnerability namespaces found in grype database for language=erlang package=ftp
[0001] DEBUG found 2 vulnerabilities package=pkg:otp/ftp@1.2.3
[0001] DEBUG   ├── namespace=nvd:cpe vuln=CVE-1999-0082
[0001] DEBUG   └── namespace=nvd:cpe vuln=CVE-1999-0201

[0001] DEBUG no vulnerability namespaces found in grype database for language=erlang package=snmp
[0001] DEBUG found 3 vulnerabilities package=pkg:otp/snmp@5.18
[0001] DEBUG   ├── namespace=nvd:cpe vuln=CVE-1999-0472
[0001] DEBUG   ├── namespace=nvd:cpe vuln=CVE-2002-0012
[0001] DEBUG   └── namespace=nvd:cpe vuln=CVE-2002-0013

[0001] DEBUG no vulnerability namespaces found in grype database for language=erlang package=tftp
[0001] DEBUG found 1 vulnerabilities package=pkg:otp/tftp@1.2.1
[0001] DEBUG   └── namespace=nvd:cpe vuln=CVE-1999-0183
jq . < erlang-otp.json | grep cpe | grep -E 'ftp|snmp'
          "cpe": "cpe:2.3:a:ftp:ftp:1.2.3:*:*:*:*:*:*:*",
          "cpe": "cpe:2.3:a:snmp:snmp:5.18:*:*:*:*:*:*:*",
          "cpe": "cpe:2.3:a:tftp:tftp:1.2.1:*:*:*:*:*:*:*",

@westonsteimel
Copy link
Contributor

westonsteimel commented Dec 19, 2024

Yes, these will be bad CPE matches because we don't currently have a specific erlang matcher defined in grype, so it will fall into the stock matcher. We should create an erlang matcher with cpe matching disabled by default since erlang ecosystem is covered by GitHub Security Advisories

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
Status: No status
Development

No branches or pull requests

3 participants