False positive in dotnet Akka.NET - CVE-2017-1000034

[josetirablaz]

What happened:
After scanning a .NET solution that contains the Akka package, a wrong vulnerability is reported.

Here is the report:

NAME                             INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY
Akka                             1.4.45               dotnet  CVE-2017-1000034     High

What you expected to happen:
CVE-2017-1000034 for Akka JVM should not be reported for Akka.NET.

How to reproduce it (as minimally and precisely as possible):

grype petabridge/lighthouse

Anything else we need to know?:
All Akka vulnerabilities from JVM version are reported as Akka.NET vulnerabilities also.

Environment:

• Output of grype version:

Application:          grype
Version:              0.59.0
Syft Version:         v0.74.0
BuildDate:            2023-03-03T21:34:44Z
GitCommit:            5754360376ace11befb1bd9fa4b0f97d79ea2344
GitDescription:       v0.59.0
Platform:             windows/amd64
GoVersion:            go1.19.6
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

Windows 10 21H2 (OS Build 19044.2604)

[tgerla]

Hi @josetirablaz, thanks for the report. Do you happen to have a publicly available image that we can use to reproduce this? That would help us a lot. Thanks!

[josetirablaz]

Hi @tgerla

Here is an image to reproduce the false positive: Petabridge/Lighthouse on hub.docker.com

[tgerla]

Thanks @josetirablaz! We will take a look as soon as we can.

[willmurphyscode]

Hi @josetirablaz, thanks for the issue!

To help future investigations, here's a oneliner with a digest that reproduces this positive result (some of these get hard to investigate if the image tag moves):

grype --platform linux/amd64 \
petabridge/lighthouse@sha256:be3b3df2f548cac599b253d9a8f2dc2d5089e9bea35b976ce22739eb9691d7ff | \
grep CVE-2017-1000034

Trying to understand what happens a in a bit more detail here, looking at the match details:

CVE-2017-1000034 from https://nvd.nist.gov/vuln/detail/CVE-2017-1000034
matched artifact is:
Akka - pkg:nuget/Akka@1.5.2
match type is cpe-match
CPEs

• cpe:2.3:a:Akka:Akka:1.5.2:*:*:*:*:*:*:*
  URLs:
• https://nvd.nist.gov/vuln/detail/CVE-2017-1000034
• http://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html

I have to agree that this is a false positive - it would be pretty surprising if there were a java serialization vulnerability in Akka.NET :)

It seems like we correctly detect that this is a nuget package, but I don't think CPEs are narrowed by language ecosystem. If Akka.NET did have a vulnerability, I don't know what the CPE would look like.

It looks like the package name for Akka.NET is indeed just akka: https://www.nuget.org/packages/Akka. As far as I can tell, the string java does not appear in any machine-readable field on https://nvd.nist.gov/vuln/detail/CVE-2017-1000034#match-3790244. GHSA-mm57-9j6q-rxm2 does have more detail, at least showing that it's a Maven package. Maybe matching only on the PURL would have helped here.

[willmurphyscode]

Hi @josetirablaz,

The repro steps above no longer result in this false positive. That's because Grype, by default, uses PURLs and not CPEs to match language packages - you can read more about that at https://anchore.com/blog/say-goodbye-to-false-positives/.

I'm closing this, but please let us know if we've missed something.