Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--by-cve takes a noticeable amount more time to complete #1185

Closed
kzantow opened this issue Mar 16, 2023 · 2 comments · Fixed by #1188
Closed

--by-cve takes a noticeable amount more time to complete #1185

kzantow opened this issue Mar 16, 2023 · 2 comments · Fixed by #1188

Comments

@kzantow
Copy link
Contributor

kzantow commented Mar 16, 2023

Using the --by-cve flag doesn't filter out the duplicates (and also takes 10x as long, from 15s to 2m38s). Both CVE-2020-9547 and GHSA-q93h-jc49-78gg are still in the output and only the GHSA-q93h-jc49-78gg one has a fixed version.

./grype version
Application:          grype
Version:              0.59.1
Syft Version:         v0.74.1
BuildDate:            2023-03-09T14:57:12Z
GitCommit:            29b646568901d1ef48a528cf35f67f3cead49c9f
GitDescription:       v0.59.1
Platform:             linux/amd64
GoVersion:            go1.19.6
Compiler:             gc
Supported DB Schema:  5

Originally posted by @JipSogeti in #236 (comment)
@kzantow
Copy link
Contributor Author

kzantow commented Mar 16, 2023

NOTE: I'm seeing the --by-cve consistently about 4x on my machine using that test image (docker.io/s3curitybug/jackson-databind-cves). After a few runs these are pretty indicative:

grype docker.io/s3curitybug/jackson-databind-cves  3.63s user 3.65s system 51% cpu 14.186 total

grype docker.io/s3curitybug/jackson-databind-cves --by-cve  17.42s user 8.82s system 76% cpu 34.175 total

@kzantow kzantow mentioned this issue Mar 16, 2023
Merged
@westonsteimel westonsteimel mentioned this issue Mar 20, 2023
Merged
@ghost
Copy link

ghost commented Mar 20, 2023

Thanks @westonsteimel for fixing this so quickly! I can confirm the performance issues are now gone. With or without --by-cve takes about the same time.

I can also confirm the GHSA- IDs are now replaced by the CVE- equivalent.

However, the result is that the CVEs are now shown twice, once with a known fixed version (the one which was previously GHSA-) and once without.

jackson-databind          2.8.8                                           java-archive  CVE-2020-9547     Critical    
[...]    
jackson-databind          2.8.8                2.9.10.4                   java-archive  CVE-2020-9547     Critical

Shouldn't these results be de-duplicated?

My use case is to block a pipeline when there are known fixes, or vulnerabilities for which the fix state is unknown (in which case the vulnerability needs manual analysis). I want to skip vulnerabilities for which there is no fix (wont-fix, not-fixed). Leaving the duplicate CVE with a fix state of unknown (even though the fix state is known, in the second instance of the same CVE) would cause issues for my use case.

./grype version
Application:          grype
Version:              [not provided]
Syft Version:         v0.75.0
BuildDate:            [not provided]
GitCommit:            [not provided]
GitDescription:       [not provided]
Platform:             linux/amd64
GoVersion:            go1.20.2
Compiler:             gc
Supported DB Schema:  5

This was referenced Mar 28, 2023
Closed
Closed
Closed
@ghost ghost mentioned this issue Mar 29, 2023
Open
This was referenced Apr 5, 2023
Merged
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: by-cpe pivot by vuln metadata rather than vulnerability record anchore/grype
1 participant
@kzantow