-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Multiple False Positive CVEs #942
Comments
Thanks for these reports @OfriOuzan! This is going to be extremely helpful for something we should have ready shortly to track grype matching quality against a labeled set of |
Hi, attaching a few more misidentified CVEs from the same research we believe we misidentified for different reasons: What happened: What you expected to happen: How to reproduce it (as minimally and precisely as possible): Output of Examples include:
The Containers used in the research were: |
This class of problems should be fixed now that we have adjusted our vulnerability matching method as described here: https://anchore.com/blog/say-goodbye-to-false-positives/ -- I'll go ahead and close this issue but please feel free to re-open if you find more false positives, or if this one is still affecting your images. Thanks! |
What happened:
In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives.
What you expected to happen:
We expected Grype not to report on these CVEs.
How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>
grype version
:Application: grype
Version: 0.41.0
Syft Version: v0.50.0
BuildDate: 2022-07-06T15:20:18Z
GitCommit: 0e0a9d9
GitDescription: v0.41.0
Platform: linux/amd64
GoVersion: go1.18.3
Compiler: gc
Supported DB Schema: 4
Cases
#1 - Ghost
Container Details:
https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore
OS (e.g:
cat /etc/os-release
):PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
CVEs
CVE-1999-0082
Grype wrongly identified CVE-1999-0082 as vulnerable.
The path it identified is:
/var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json
The ftp npm package version is 0.3.10.
However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftpd service and not the ftp npm package).
CVE-1999-0201
Grype wrongly identified CVE-1999-0201 as vulnerable.
The path it identified is:
/var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json
The ftp npm package version is 0.3.10.
However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftp server and not the ftp npm package).
CVE-2004-2761
Grype wrongly identified CVE-2004-2761 as vulnerable.
The path it identified is:
/var/lib/ghost/versions/5.2.4/node_modules/md5/package.json"
The md5 npm package version is 2.3.0
However, according to the debian website, this is a general MD5 weakness, and doesn't need to be tracked package-wise.
CVE-2006-1611
Grype wrongly identified CVE-2006-1611 as vulnerable.
The path it identified is:
/var/lib/ghost/versions/5.2.4/node_modules/archiver/package.json
The archiver npm package version is 5.3.1
However, according to the debian website, the vulnerability is related to the KGB Archiver.
CVE-2015-9529
Grype wrongly identified CVE-2015-9529 as vulnerable.
The path it identified is:
/var/lib/ghost/versions/5.2.4/node_modules/stripe/package.json
The stripe package version is 8.215.0
However, according to the debian website, the vulnerability is related to the Stripe WordPress plugin.
CVE-2019-10743
Grype wrongly identified CVE-2019-10743 as vulnerable.
The path it identified is:
/usr/local/lib/node_modules/ghost-cli/node_modules/archiver/package.json
The archiver package version is 5.3.1
However, according to the debian website, the vulnerability is not connected to debian (NOT-FOR-US).
CVE-2021-24478
Grype wrongly identified CVE-2021-24478 as vulnerable.
The path it identified is:
/var/lib/ghost/versions/5.2.4/node_modules/bookshelf/package.json
The bookshelf package version is 1.2.0
However, according to the debian website (and NVD), the vulnerability is the bookshelf Wordpress plugin
CVE-2021-29940
Grype wrongly identified CVE-2021-29940 as vulnerable.
The path it identified is:
/usr/local/lib/node_modules/ghost-cli/node_modules/through/package.json
The opener package version is 2.3.8
However, according to the debian website, the vulnerability is related to the Rust crate through
#2 - Jenkins
Container Details:
https://hub.docker.com/layers/jenkins/jenkins/2.358/images/sha256-01600c1acde3391286945f775f2e5b2366f9b96fbe012a3ffa5159073c0c6392?context=explore
OS (e.g:
cat /etc/os-release
):PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
CVEs
CVE-2018-1000052
Grype wrongly identified fmtlib CVE-2018-1000052 as vulnerable.
There is no fmtlib package in the container, however, there is a commons-jelly-tags-fmt file that has 1.0 version and Grype was mistaken because it leaning on the cpe "cpe:2.3:a:fmt:fmt::::::::"
According to this link, commons-jelly-tags-fmt does not have versions in use that are higher than 1.0.0.
#3 - Kibana
Container Details:
https://hub.docker.com/layers/kibana/library/kibana/8.3.2/images/sha256-51635619b14a0f3a764f39c4c51d527304d8c33fbda05d72652b18255639122b?context=explore
OS (e.g:
cat /etc/os-release
):NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
CVEs
CVE-2006-1611
Grype wrongly identified CVE-2006-1611 as vulnerable.
The path it identified is:
/var/lib/ghost/versions/5.2.4/node_modules/archiver/package.json
The archiver npm package version is 5.3.1
However, according to the debian website, the vulnerability is related to the KGB Archiver.
CVE-2019-10743
Grype wrongly identified CVE-2019-10743 as vulnerable.
The path it identified is:
/usr/local/lib/node_modules/ghost-cli/node_modules/archiver/package.json
The archiver package version is 5.3.1
However, according to the debian website, the vulnerability is not connected to debian (NOT-FOR-US).
CVE-2020-10743
Grype wrongly identified CVE-2020-10743 as vulnerable.
The path it identified is:
/usr/share/kibana/package.json
However, according to the https://www.cve.org/CVERecord?id=CVE-2020-10743 website, the vulnerability is not related to the kibana npm package.
CVE-2021-29940
Grype wrongly identified CVE-2021-29940 as vulnerable.
The path it identified is:
/usr/local/lib/node_modules/ghost-cli/node_modules/through/package.json
The opener package version is 2.3.8
However, according to the debian website, the vulnerability is related to the ‘Rust crate through’ package
CVE-2022-0323
Grype was the only one that correctly identified CVE-2022-0323 as vulnerable.
The path it identified is:
/usr/share/kibana/node_modules/mustache/package.json
The mustache npm package version is 2.3.2
Affected versions: Up to (Excluding) 2.14.1
However, according to nvd and snyk the affected mustache package is a composer php package and not npm.
#4 - Neo4j
Container Details:
https://hub.docker.com/layers/library/neo4j/4.4.8/images/sha256-d7cb5bde33a15197f45ca2f8a701de059c9e33cc6b59a7d7a02c180462ea98c0?context=explore
OS (e.g:
cat /etc/os-release
):PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
CVEs
CVE-2020-35864
Grype wrongly identified CVE-2020-35864 as vulnerable.
According to the Debian website: NOT-FOR-US: flatbuffers rust crate.
According to Snyk vulnerability, the package is related to cargo.
#5 - Solr
Container Details:
https://hub.docker.com/layers/library/solr/9.0.0/images/sha256-a75d693dcc9b978f8f35cdad3f775ad09dd3020e1920871a1fb167655a19e888?context=explore
OS (e.g:
cat /etc/os-release
):PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
CVEs
CVE-2013-2192, CVE-2015-7430, CVE-2016-5001, CVE-2017-3161, CVE-2017-3162
Grype wrongly identified hadoop CVE-2013-2192, CVE-2015-7430, CVE-2016-5001, CVE-2017-3161, CVE-2017-3162 as vulnerable.
Grype finds the hadoop version as: 1.1.1.
According to ubuntu: This CVE does not apply to software in Ubuntu archives.
I could not find any results for this cve on snyk vulnerabilities db website.
CVE-2015-4035
Grype identified java xz CVE-2015-4035 as vulnerable.
Affected versions are: Up to (including) 4.999.9beta.
Grype finds the following path: /opt/solr-9.0.0/modules/extraction/lib/xz-1.9.jar, the content of the: /opt/solr-9.0.0/licenses/xz-NOTICE.txt
Contains the following:
XZ for Java 1.0 (2011-10-22)
http://tukaani.org/xz/java.html
According to nvd affected cpes are: cpe:2.3:a:tukaani:xz::beta::::::*
The vulnerability is a maven vulnerability and when I searched on snyk vulnerability db, I found that the 1.9 version is not affected by any vulnerability.
According to this link, the 1.9 version is the last version of the package that exists on the container.
According to a closed issue in dependency check tool:
There is a false positive for Tukaani XZ:
xz-1.8.jar (cpe:/a:tukaani:xz:1.8, org.tukaani:xz:1.8) : CVE-2015-4035
The CVE refers to Tukaani itself. But org.tukaani.xz is a Java library that has a separate versioning system (https://tukaani.org/xz/java.html).
CVE-2022-25647
Grype wrongly identified com.google.code.gson:gson CVE-2022-25647
as vulnerable. According to nvd, affected com.google.code.gson:gson versions are Up to (excluding) 2.8.9.
Actual version: 2.8.9
The path I found is:
/opt/solr-9.0.0/modules/extraction/lib/gson-2.8.9.jar
When I extracted the file i found the following pom.xml file:
META-INF/maven/com.google.code.gson/gson/pom.xml
That contains the following strings:
gson-parent
2.8.9
The path grype identify is: "/opt/solr-9.0.0/modules/gcs-repository/lib/google-http-client-gson-1.41.0.jar"
Then, wrongly compares the identifying path with the affected versions.
According to this link, the 1.41.0 is not one of the gson package versions.
#6 - Sonarqube
Container Details:
https://hub.docker.com/layers/library/sonarqube/9.5.0-community/images/sha256-2f102e5b91abb39db22da3d2efca1eaccdd919923355b6e42edc3c522e3aa235?context=explore
OS (e.g:
cat /etc/os-release
):NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.14.6
PRETTY_NAME="Alpine Linux v3.14"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
CVEs
326 cves
Grype wrongly identified maven php vulnerabilities as vulnerable.
The path it identified is:
pkg:maven/org.sonarsource.php/php-checks@3.23.1.8766
The php maven version is 3.23.1.8766.
However, I only see that these vulnerabilities are connected to php and not to the maven php, I searched for results in snyk vulnerabilities db and did not find any connection to maven.
Another thing, according to my searches, there is no php 3.23.1.8766 version.
(For example:
CVE-2002-2215
CVE-2003-0442
CVE-2004-0542
CVE-2004-0958
CVE-2004-0959
CVE-2004-1018
CVE-2006-3011
CVE-2006-3017
CVE-2006-5178
CVE-2006-5465
CVE-2006-5706
CVE-2006-7243)
The text was updated successfully, but these errors were encountered: