False positive: CVE-2017-3162 apache:hadoop-shaded-guava vs apache:hadoop

[sekveaja]

What happened:

Use hadoop-shaded-guava:1.1.1

            "package_cpe": "cpe:2.3:a:apache:hadoop-shaded-guava:1.1.1:*:*:*:*:*:*:*",
            "package_cpe23": "cpe:2.3:a:apache:hadoop-shaded-guava:1.1.1:*:*:*:*:*:*:*",
            "package_name": "hadoop-shaded-guava",

Grype report to apache:hadoop CVE-2017-3162

What you expected to happen:

They are not the same CPE, therefore, should not report to CVE-2017-3162.

How to reproduce it (as minimally and precisely as possible):

Integrate apache:hadoop-shaded-guava:1.1.1 and test

Environment:
Grype: 0.61.1
cat /etc/os-release | grep -i version
VERSION="SLES 15-SP4"

[willmurphyscode]

Adding detailed repro steps to make future investigation easier:

wget https://repo1.maven.org/maven2/org/apache/hadoop/thirdparty/hadoop-shaded-guava/1.1.1/hadoop-shaded-guava-1.1.1.jar
grype hadoop-shaded-guava-1.1.1.jar | grep CVE-2017-3162

Which prints

hadoop-shaded-guava  1.1.1                java-archive  CVE-2017-3162   High

$  grype version
Application:          grype
Version:              0.62.2
Syft Version:         v0.82.0
BuildDate:            2023-05-26T17:47:10Z
GitCommit:            77eb4bb53fa6a3c7fb9ae37aa35da456159dab57
GitDescription:       v0.62.2
Platform:             darwin/arm64
GoVersion:            go1.19.9
Compiler:             gc
Supported DB Schema:  5

Here are some more details on the match:

CVE-2017-3162 from https://nvd.nist.gov/vuln/detail/CVE-2017-3162
matched artifact is:
hadoop-shaded-guava - pkg:maven/org.apache.hadoop.thirdparty/hadoop-shaded-guava@1.1.1
match type is cpe-match
CPEs

• cpe:2.3:a:apache:hadoop-shaded-guava:1.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache:hadoop_shaded_guava:1.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache:hadoop:1.1.1:*:*:*:*:*:*:*

URLs:

• https://nvd.nist.gov/vuln/detail/CVE-2017-3162
• http://www.securityfocus.com/bid/98017
• https://lists.apache.org/thread.html/r127f75748fcabc63bc5a1bec6885753eb9b2bed803b6ed7bd46f965b@%3Cuser.hadoop.apache.org%3E
• https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E
• https://s.apache.org/k2ss

[sekveaja]

@willmurphyscode Thank you to investigate on the issue.

NVD info: https://nvd.nist.gov/vuln/detail/CVE-2017-3162

Description
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.
:
cpe:2.3:a:apache:hadoop::::::::   Show Matching CPE(s) | Up to (including)2.6.5
:

According to above info from NVD description, CVE-2017-3162 has issue with Hadoop version < 2.7.0.

We integrate the following:
..<stripped_path>.../lib/java/distributor/HdfsDistributor.jar:hadoop-shaded-guava

Grype detects the hadoop-shaded-guava version 1.1.1 in our environment and link to CVE-2017-3162 which is for Apache Hadoop.

Apache Hadoop is the product with their own versioning, own artifact, it may have issue with version < 2..7.0
It doesn't mean hadoop-shaded-guava version 1.1.1 has issue.

I look around for this provided info, I couldn't find that is linked CVE-2017-3162.
cpe:2.3:a:apache:hadoop-shaded-guava:1.1.1:::::::*
cpe:2.3:a:apache:hadoop_shaded_guava:1.1.1:::::::*

Can you provide the exact link that shows relation of hadoop-shaded-guava to CVE-2017-3162?

[willmurphyscode]

Can you provide the exact link that shows relation of hadoop-shaded-guava to GHSA-pr9x-qmp5-j3rr?

I don't have such a link. I think this is probably a false positive - I am adding notes to further our investigation of why this false positive might appear. Sorry for not saying that more clearly in my last comment!

I've added the label false-positive:cpe to this issue to indicate that this is likely a false positive caused by overly broad matching or generating of CPEs, especially within the Java ecosystem. I am hoping we can investigate this type of issue and fix this whole type of issue. In the meantime, I'm leaving this issue open since I think it is a good example of the type of false positives sometimes caused by CPE matches in Java.

[willmurphyscode]

Hi @sekveaja,

This false positive seems to be fixed:

wget https://repo1.maven.org/maven2/org/apache/hadoop/thirdparty/hadoop-shaded-guava/1.1.1/hadoop-shaded-guava-1.1.1.jar
grype hadoop-shaded-guava-1.1.1.jar | grep CVE-2017-3162

no longer prints any vulnerabilities. This is because Grype no longer uses CPEs by default for matching against JARs.

Please let me know if I've missed something.