-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive on io.minio 8.5.2? #1203
Comments
As per the fix provided for each vulnerability, it seems, the above vulnerabilities are applicable only on - Not applicable to - Please confirm, whether these are false positives for Minio java client latest packages (8.5.2)? |
Tool reported two additional high vulnerabilities on minio:8..5.2 - As per the fix provided for each vulnerability, it seems, the above all vulnerabilities are also fall into this category. Please confirm, whether these also False Positives for Minio java client latest packages (8.5.2)? Any possible fix from tool to handle these cases? |
Hey @prabutdr! We're taking a look at false positives as a problem and trying to determine the best way forward for reducing them as much as possible. I think the above problem comes into play when the cpe matching is a little too broad. We've found that narrowing that down in specific ecosystems leads to more false negatives being reported which is the trade off we've accepted for the time being. I'm sorry these are showing up and causing noise in the scan at the moment. Grype does allow you to specify an ignore list in the config. Usually this is commented with the reasons for the FP: We'll keep this issue open and add it as part of our false positive effort! |
Thanks much @spiffcs |
Thanks @prabutdr for reporting this! Here's a short repro script for anyone testing it in the future:
It looks like we're generating a CPE for the CVE-2018-1000538 from https://nvd.nist.gov/vuln/detail/CVE-2018-1000538
URLs:
But @prabutdr is right, |
Hi @prabutdr, I'm closing this issue because it was fixed by intervening development. Specifically, Grype no longer uses CPEs to match against JARs by default. You can read more about this change at https://anchore.com/blog/say-goodbye-to-false-positives/.
Please let us know if we've missed something. Thanks! |
What happened:
Scanned io.minio.minio 8.5.2 and Grype reported below vulnerabilities -
CVE-2018-1000538 (High)
https://nvd.nist.gov/vuln/detail/CVE-2018-1000538
security: fix write-to-RAM DoS vulnerability minio/minio#5957
CVE-2020-11012 (High)
https://nvd.nist.gov/vuln/detail/CVE-2020-11012
fix: Add missing return in admin requests auth minio/minio#9422
CVE-2021-21287 (High)
https://nvd.nist.gov/vuln/detail/CVE-2021-21287
https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z
CVE-2021-43858 (High)
https://nvd.nist.gov/vuln/detail/CVE-2021-43858
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z
CVE-2021-21362 (Medium)
CVE-2021-21390 (Medium)
CVE-2022-35919 (Low)
What you expected to happen:
When did the detail analysis of the above vulnerabilities (refer the links provided each vulnerabilities above), looks like they were already fixed in certain releases and the latest minio (8.5.2) should not show these vulnerabilities. Initially grype reported on minio 8.3.7, but after that we upgraded so many new versions and currently have latest minio 8.5.2, but still grype shows these vulnerabilities. Please check and confirm whether these are False Positives?
How to reproduce it (as minimally and precisely as possible):
Download and scan io.minio 8.5.2 runtime using Anchore Grype
https://mvnrepository.com/artifact/io.minio/minio
Environment:
Anchore Grype version: 0.60.0
OS (e.g: cat /etc/os-release or similar): SUSE 15.4
The text was updated successfully, but these errors were encountered: