Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Multiple False Positive CVEs #942

Closed
OfriOuzan opened this issue Oct 2, 2022 · 3 comments
Closed

Multiple False Positive CVEs #942

OfriOuzan opened this issue Oct 2, 2022 · 3 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive

Comments

@OfriOuzan
Copy link

What happened:
In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives.
What you expected to happen:
We expected Grype not to report on these CVEs.
How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>

  • Output of grype version:
    Application: grype
    Version: 0.41.0
    Syft Version: v0.50.0
    BuildDate: 2022-07-06T15:20:18Z
    GitCommit: 0e0a9d9
    GitDescription: v0.41.0
    Platform: linux/amd64
    GoVersion: go1.18.3
    Compiler: gc
    Supported DB Schema: 4

Cases

#1 - Ghost

  • Container Details:
    https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore

  • OS (e.g: cat /etc/os-release):
    PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
    NAME="Debian GNU/Linux"
    VERSION_ID="11"
    VERSION="11 (bullseye)"
    VERSION_CODENAME=bullseye
    ID=debian
    HOME_URL="https://www.debian.org/"
    SUPPORT_URL="https://www.debian.org/support"
    BUG_REPORT_URL="https://bugs.debian.org/"

  • CVEs
    CVE-1999-0082
    Grype wrongly identified CVE-1999-0082 as vulnerable.
    The path it identified is:
    /var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json
    The ftp npm package version is 0.3.10.
    However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftpd service and not the ftp npm package).
    CVE-1999-0201
    Grype wrongly identified CVE-1999-0201 as vulnerable.
    The path it identified is:
    /var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json
    The ftp npm package version is 0.3.10.
    However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftp server and not the ftp npm package).
    CVE-2004-2761
    Grype wrongly identified CVE-2004-2761 as vulnerable.
    The path it identified is:
    /var/lib/ghost/versions/5.2.4/node_modules/md5/package.json"
    The md5 npm package version is 2.3.0
    However, according to the debian website, this is a general MD5 weakness, and doesn't need to be tracked package-wise.
    CVE-2006-1611
    Grype wrongly identified CVE-2006-1611 as vulnerable.
    The path it identified is:
    /var/lib/ghost/versions/5.2.4/node_modules/archiver/package.json
    The archiver npm package version is 5.3.1
    However, according to the debian website, the vulnerability is related to the KGB Archiver.
    CVE-2015-9529
    Grype wrongly identified CVE-2015-9529 as vulnerable.
    The path it identified is:
    /var/lib/ghost/versions/5.2.4/node_modules/stripe/package.json
    The stripe package version is 8.215.0
    However, according to the debian website, the vulnerability is related to the Stripe WordPress plugin.
    CVE-2019-10743
    Grype wrongly identified CVE-2019-10743 as vulnerable.
    The path it identified is:
    /usr/local/lib/node_modules/ghost-cli/node_modules/archiver/package.json
    The archiver package version is 5.3.1
    However, according to the debian website, the vulnerability is not connected to debian (NOT-FOR-US).
    CVE-2021-24478
    Grype wrongly identified CVE-2021-24478 as vulnerable.
    The path it identified is:
    /var/lib/ghost/versions/5.2.4/node_modules/bookshelf/package.json
    The bookshelf package version is 1.2.0
    However, according to the debian website (and NVD), the vulnerability is the bookshelf Wordpress plugin
    CVE-2021-29940
    Grype wrongly identified CVE-2021-29940 as vulnerable.
    The path it identified is:
    /usr/local/lib/node_modules/ghost-cli/node_modules/through/package.json
    The opener package version is 2.3.8
    However, according to the debian website, the vulnerability is related to the Rust crate through

#2 - Jenkins

#3 - Kibana

#4 - Neo4j

#5 - Solr

#6 - Sonarqube

@OfriOuzan OfriOuzan added the bug Something isn't working label Oct 2, 2022
@OfriOuzan OfriOuzan reopened this Oct 2, 2022
@westonsteimel
Copy link
Contributor

Thanks for these reports @OfriOuzan! This is going to be extremely helpful for something we should have ready shortly to track grype matching quality against a labeled set of true-positive and false-positive matches across a variety of images. Specifically the labelling data correlates to specific image shas, so including those in your report is perfect for helping us extend that data set!

@OfriOuzan
Copy link
Author

OfriOuzan commented Oct 12, 2022

Hi, attaching a few more misidentified CVEs from the same research we believe we misidentified for different reasons:

What happened:
In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives.
In this comment we have tried to highlight misidentification stemming from reasons unrelated to CPE mismatches.

What you expected to happen:
We expected Grype not to have these mismatches.

How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>

Output of grype version:
Application: grype
Version: 0.41.0
Syft Version: v0.50.0
BuildDate: 2022-07-06T15:20:18Z
GitCommit: 0e0a9d9
GitDescription: v0.41.0
Platform: linux/amd64
GoVersion: go1.18.3
Compiler: gc
Supported DB Schema: 4

Examples include:

  • 93 cves
    In the following container images:
    Drupal
    NextCloud
    Wordpress
    Grype wrongly associated linux-libc-dev with CVEs affecting the linux kernel. Some of
    the vulnerabilities identified are associated with a much older kernel version the the
  1. linux-libc-dev versionthat exist in the container (for example CVE-2005-3660 in the drupal container), but we think the problem is more fundamental in nature from two main reasons:
  2. linux-libc-dev does not contain the relevant code for the identified vulnerabilities. In fact, it only contains header files.
    Even if it did, flagging kernel vulnerabilities from within containers doesn’t really serve a purpose for the user since the kernel version relevant for kernel vulnerabilities should be the external kernel version (the one running on the host). Even in the rare case in which the linux-libc-dev or linux-libc version on the container matches the kernel version on the host, upgrading libc on the container will not solve the problem as the libc code that will be used as part of the normal container operation will be the libc version of the host.

The Containers used in the research were:


Container Version Link
Jenkins 2.358 https://hub.docker.com/layers/jenkins/jenkins/2.358/images/sha256-01600c1acde3391286945f775f2e5b2366f9b96fbe012a3ffa5159073c0c6392?context=explore
Drupal 9.4.2 https://hub.docker.com/layers/library/drupal/9.4.2/images/sha256-b370968f989cddff5c0581d8093d65be8e0733176fe987d946114a11ada047d8?context=explore
MariaDB 1:10.8.3+maria~jammy https://hub.docker.com/layers/library/mariadb/10.8.3/images/sha256-0a6ed934c1518abff64ed856b06f44006b4498b115941e19bbd910bd62a12232?context=explore
NextCloud 24.0.2 https://hub.docker.com/layers/library/nextcloud/24.0.2/images/sha256-f414023e31cfe6b157e76648c8ad021aab5491cbbb28f96939ae6dd874729ace?context=explore
Redis 7.0.2 https://hub.docker.com/layers/library/redis/7.0.2/images/sha256-31120dcdd310e9a65cbcadd504f4fe60a185bd634ab7c6a35e3e44a941904d97?context=explore
Tomcat 10.0.22 https://hub.docker.com/layers/library/tomcat/10.0.22/images/sha256-71444268934d60df07205e89f1f7a66df2852c7712063b8fa921828c94f169f6?context=explore
Wordpress 6.0 https://hub.docker.com/layers/library/wordpress/6.0.0-php7.4-fpm/images/sha256-ab9da08aca4576011afaa990295581b9f34ece4b1a0ce827a734264547064498?context=explore
Rabbitmq 3.10.5 https://hub.docker.com/layers/rabbitmq/library/rabbitmq/latest/images/sha256-45b2855afa95e7d483b4850bec8a5484031b94f9c72d5476a3900b7788a8fc74?context=explore
Ghost 5.2.4 https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore
Memcached 1.6.15 https://hub.docker.com/layers/library/memcached/1.6.15/images/sha256-1fb5662239cfb3d632efd4df609caff38f0bac3e78bd0cf6db038d5a6a818147?context=explore
Postgres 14.4-1.pgdg110+1 https://hub.docker.com/layers/library/postgres/14.4/images/sha256-cf3b0cf1dde2a82542e4b9de7f3ad058fdc819dea6499007035b838542b0bd5e?context=explore
Httpd 2.4.54 https://hub.docker.com/layers/library/httpd/2.4.54/images/sha256-facd7a9ef4225c56d531cc2d1c26a0576edf417fb6d49f2f1b279994a8387666?context=explore
Consul 1.12.2 https://hub.docker.com/layers/library/consul/1.12.2/images/sha256-a1a933572cb6f6388501c535af455f77e687c62ff97ed72cd16301b8b535eae0?context=explore
Nginx 1.23.0 https://hub.docker.com/layers/library/nginx/1.23.0/images/sha256-33cef86aae4e8487ff23a6ca16012fac28ff9e7a5e9759d291a7da06e36ac958?context=explore
MySQL 8.0.29-1debian11 https://hub.docker.com/layers/library/mysql/8.0.29-debian/images/sha256-3a7e864bc88458911fa598065fe027736fa63495f5780ee0618caeb4a52bbc4c?context=explore
Mongo 5.0.9 https://hub.docker.com/layers/library/mongo/5.0.9/images/sha256-4b58442ec48034662c5581405a24755bdd80730535ccb98e262b6f5ed76c7017?context=explore
Sonarqube 9.5.0.56709 https://hub.docker.com/layers/library/sonarqube/9.5.0-community/images/sha256-2f102e5b91abb39db22da3d2efca1eaccdd919923355b6e42edc3c522e3aa235?context=explore
Kibana 8.3.2 https://hub.docker.com/layers/kibana/library/kibana/8.3.2/images/sha256-51635619b14a0f3a764f39c4c51d527304d8c33fbda05d72652b18255639122b?context=explore
Neo4j 4.4.8 https://hub.docker.com/layers/library/neo4j/4.4.8/images/sha256-d7cb5bde33a15197f45ca2f8a701de059c9e33cc6b59a7d7a02c180462ea98c0?context=explore
Solr 9.0.0 https://hub.docker.com/layers/library/solr/9.0.0/images/sha256-a75d693dcc9b978f8f35cdad3f775ad09dd3020e1920871a1fb167655a19e888?context=explore

@tgerla
Copy link
Contributor

tgerla commented Nov 17, 2023

This class of problems should be fixed now that we have adjusted our vulnerability matching method as described here: https://anchore.com/blog/say-goodbye-to-false-positives/ -- I'll go ahead and close this issue but please feel free to re-open if you find more false positives, or if this one is still affecting your images. Thanks!

@tgerla tgerla closed this as completed Nov 17, 2023
@github-project-automation github-project-automation bot moved this to Done in OSS Nov 17, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive
Projects
Archived in project
Development

No branches or pull requests

3 participants