Specifying "extras" in pip / requirements.txt results in false negative #1246

tlbjr · 2023-04-20T16:10:12Z

What happened:

Python's (pip) celery 4.4.7 has a high vuln. This was identified with MS' Defender for Cloud, but it wasn't found with grype because we have "extras" specified as acceptable to pip / requirements.txt.

celery[redis, pytest]==4.4.7  # Will not find a high vuln
#celery==4.4.7  # Will find a high vuln as expected
starlette==0.17.1

What you expected to happen:
Strip all extras and compare the base package and version to the list of known vulns.

How to reproduce it (as minimally and precisely as possible):

$ cat requirements.txt
celery[redis, pytest]==4.4.7  # Will not find a high vuln
#celery==4.4.7  # Will find a high vuln as expected
starlette==0.17.1
$ grype -v file:requirements.txt
[0000]  INFO grype version: 0.61.0
[0000]  INFO could not identify distro form-lib=syft
[0000]  INFO cataloging file form-lib=syft
[0000]  INFO found 1 vulnerabilities for 2 packages
NAME       INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY
starlette  0.17.1     0.25.0    python  GHSA-74m5-2c7w-9w3x  Medium

Anything else we need to know?:

Environment:

Output of grype version:
OS (e.g: cat /etc/os-release or similar):

Application:          grype
Version:              0.61.0
Syft Version:         v0.76.0
BuildDate:            2023-04-04T15:11:17Z
GitCommit:            d8c0c0805b59659c4d6e49d6806a0eba11bdc2ee
GitDescription:       v0.61.0
Platform:             linux/amd64
GoVersion:            go1.19.7
Compiler:             gc
Supported DB Schema:  5

PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

The text was updated successfully, but these errors were encountered:

kzantow · 2023-04-20T16:16:13Z

Thanks for the report @tlbjr, this looks like a fairly easy fix -- PRs are always welcome!

- Allow pip packages to specify extras. - Syntax: package_name[extra1, extra2] - Using regex the extras will be removed from the package name. Closes anchore#1246 Signed-off-by: Shane Dell <shanedell100@gmail.com>

- Update pip requirements.txt parsing to remove pip extras from package name if included. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>

- Update pip requirements.txt parsing to remove pip extras from package name if included. - Add unit test to test that extras are removed from package name. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>

- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>

- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove pip extras from package name, add them to metadata instead. - Add unit test to test that extras are removed from package name. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>

- Create new metadata struct and type for python requirements. - Update parsing of python requirements to use python requirements metadata. - Remove extras and url from line. Add them to metadata instead. - Add unit test to test that extras are removed from package name. - Update test to look at requirements metadata. - Will need updated in future to support more than just == for the version constraint. - Update JSON schema data Closes anchore/grype#1246 Closes anchore/grype#1251 Signed-off-by: Shane Dell <shanedell100@gmail.com>

tlbjr added the bug Something isn't working label Apr 20, 2023

kzantow added the good-first-issue Good for newcomers label Apr 20, 2023

shanedell mentioned this issue Apr 21, 2023

Allow for pip extras #1251

Closed

shanedell mentioned this issue Apr 25, 2023

Create python requirements metadata anchore/syft#1759

Merged

wagoodman closed this as completed in anchore/syft#1759 Apr 27, 2023

dependabot bot mentioned this issue May 23, 2023

Bump github.com/anchore/grype from 0.61.2-0.20230517123503-d34b28193e61 to 0.62.0 anchore/grype-db#105

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Specifying "extras" in pip / requirements.txt results in false negative #1246

Specifying "extras" in pip / requirements.txt results in false negative #1246

tlbjr commented Apr 20, 2023

kzantow commented Apr 20, 2023

Specifying "extras" in pip / requirements.txt results in false negative #1246

Specifying "extras" in pip / requirements.txt results in false negative #1246

Comments

tlbjr commented Apr 20, 2023

kzantow commented Apr 20, 2023