Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing severities in embedded-cyclonedx-vex-json format since v0.55.0 #1066

Closed
florian-pahl-tm opened this issue Jan 23, 2023 · 0 comments · Fixed by #1067
Closed

Missing severities in embedded-cyclonedx-vex-json format since v0.55.0 #1066

florian-pahl-tm opened this issue Jan 23, 2023 · 0 comments · Fixed by #1067
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@florian-pahl-tm
Copy link

What happened:
Since version 0.55.0 grype is not reporting severities in the embedded-cyclonedx-vex-json format. This works if using grype 0..54.0.

What you expected to happen:
The embedded-cyclonedx-vex-json should report the same severity as the console output:

grype bom.json
NAME             INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY 
Newtonsoft.Json  11.0.2     13.0.1    dotnet  GHSA-5crp-9r3c-p9vr  High 

grype -o embedded-cyclonedx-vex-json bom.json
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:1b339471-39d9-4ad9-9f6a-179d4e39a9c7",
  "version": 1,
  "metadata": {
    "timestamp": "2023-01-23T09:28:33+01:00",
    "tools": [
      {
        "vendor": "anchore",
        "name": "grype",
        "version": "0.55.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:dotnet/Newtonsoft.Json@11.0.2?package-id=cf7e9d98ba8c7a42",
      "type": "library",
      "name": "Newtonsoft.Json",
      "version": "11.0.2",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "purl": "pkg:dotnet/Newtonsoft.Json@11.0.2",
      "properties": [
        {
          "name": "syft:package:language",
          "value": "dotnet"
        },
        {
          "name": "syft:package:type",
          "value": "dotnet"
        }
      ]
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:eb37a1a0-37cb-43fd-a4e8-c46b10e76b41",
      "id": "GHSA-5crp-9r3c-p9vr",
      "source": {
        "name": "github-language-dotnet",
        "url": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr"
      },
      "references": [
        {
          "id": "GHSA-5crp-9r3c-p9vr",
          "source": {
            "name": "github-language-dotnet",
            "url": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr"
          }
        }
      ],
      "ratings": [],
      "description": "Improper Handling of Exceptional Conditions in Newtonsoft.Json",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr"
        }
      ],
      "affects": [
        {
          "ref": "pkg:dotnet/Newtonsoft.Json@11.0.2?package-id=cf7e9d98ba8c7a42"
        }
      ]
    }
  ]
}

Sample sbom file used for the output above:

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:04e1fb8f-9618-40f2-8305-7dee99c2271e",
    "version": 1,
    "metadata": {
        "tools": [
            {
                "vendor": "CycloneDX",
                "name": "CycloneDX module for .NET",
                "version": "2.7.0.0"
            }
        ]
    },
    "components": [
        {
            "type": "library",
            "bom-ref": "pkg:nuget/Newtonsoft.Json@11.0.2",
            "publisher": "James Newton-King",
            "name": "Newtonsoft.Json",
            "version": "11.0.2",
            "description": "Json.NET is a popular high-performance JSON framework for .NET",
            "scope": "required",
            "hashes": [
                {
                    "alg": "SHA-512",
                    "content": "CE76466F0B3B138040F63C4D67B16E888448DC2F61AE06AD5504932A121865834EB9DE0CE557C6953622E917583B9B10ADE6C5B85FE0F54115DE13B10CC5C5E9"
                }
            ],
            "licenses": [
                {
                    "license": {
                        "id": "MIT",
                        "url": "https://github.com/JamesNK/Newtonsoft.Json/blob/master/LICENSE.md"
                    }
                }
            ],
            "copyright": "Copyright \u00a9 James Newton-King 2008",
            "purl": "pkg:dotnet/Newtonsoft.Json@11.0.2",
            "externalReferences": [
                {
                    "url": "https://www.newtonsoft.com/json",
                    "type": "website"
                },
                {
                    "url": "https://github.com/JamesNK/Newtonsoft.Json.git",
                    "type": "vcs"
                }
            ]
        }
    ]
}

How to reproduce it (as minimally and precisely as possible):
Run grype -o embedded-cyclonedx-vex-json bom.json for the above example (version 0.55.0 required).

Anything else we need to know?:

Environment:

  • Output of grype version:
    Application: grype
    Version: 0.55.0
    Syft Version: v0.65.0
    BuildDate: 2023-01-04T21:18:26Z
    GitCommit: c559833
    GitDescription: v0.55.0
    Platform: darwin/amd64
    GoVersion: go1.18.9
    Compiler: gc
    Supported DB Schema: 5
  • OS (e.g: cat /etc/os-release or similar): MacOS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: always include severity in cyclonedx output kzantow-anchore/grype
2 participants
@kzantow @florian-pahl-tm