CVEs wrongfully suppressed indefinitely when using --only-fixed flag

[ghost]

What happened:

Scanning an eclipse-temurin java image for CVEs, while using the --only-fixed flag, results in Java CVEs being suppressed forever. This is apparently caused by a lack of FIXED-IN data for these CVEs.

./grype eclipse-temurin:17.0.1_12-jre --only-fixed | grep java
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [152 packages]
 ✔ Scanning image...       [341 vulnerabilities]
   ├── 0 critical, 9 high, 205 medium, 92 low, 35 negligible
   └── 256 fixed
java                       17.0.1+12                                               binary  CVE-2022-21248    Low (suppressed)         
java                       17.0.1+12                                               binary  CVE-2022-21277    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21282    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21283    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21291    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21293    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21294    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21296    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21299    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21305    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21340    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21341    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21360    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21365    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21366    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21540    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-21541    Medium (suppressed)      
java                       17.0.1+12                                               binary  CVE-2022-34169    High (suppressed)        

./grype eclipse-temurin:17.0.6_10-jre --only-fixed | grep java
 ✔ Vulnerability DB        [no update available]
 ✔ Pulled image            
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [132 packages]
 ✔ Scanning image...       [56 vulnerabilities]
   ├── 0 critical, 0 high, 5 medium, 36 low, 15 negligible
   └── 4 fixed

What you expected to happen:

From the output above it is clear these CVEs are fixed in a newer Java release and therefore shouldn't have been suppressed.

How to reproduce it (as minimally and precisely as possible):

Run the commands from above.

Anything else we need to know?:
Java by temurin is not installed via the package manager.

Environment:

• Output of grype version:

./grype version
Application:          grype
Version:              0.59.1
Syft Version:         v0.74.1
BuildDate:            2023-03-09T14:57:12Z
GitCommit:            29b646568901d1ef48a528cf35f67f3cead49c9f
GitDescription:       v0.59.1
Platform:             linux/amd64
GoVersion:            go1.19.6
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

[ghost]

I think when the FIXED-IN data is not available (fix state is unknown) the CVE shouldn't be suppressed.

    "fix": {
     "versions": [],
     "state": "unknown"
    },

[kzantow]

@JipSogeti I'm having a bit of trouble understanding the problem -- it looks like when using the --only-fixed flag, these entries are showing up. Are there some specific CVEs that are being suppressed?

Also, if you want to see all entries, you can just omit the --only-fixed flag, right?

[ghost]

They are beging suppressed as indicated by the (suppressed) behind them. The fact that they show up at all is another issue. This means these CVEs will be ignored when determining Grype's exit status.

When scanning eclipse-temurin:17.0.1_12-jre --only-fixed, all of the java CVEs will be ignored (even though there are fixes for them in newer Java releases, as proven by the output of grype eclipse-temurin:17.0.6_10-jre) and don't influence the exit code.

We want the CVEs present in eclipse-temurin:17.0.1_12-jre to influence the exit code, but we don't want unfixed CVEs to influence the exit code. Please let me know if the issue still isn't clear.

[kzantow]

Ah, much more clear, thanks!