Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: CVE-2021-22118 using spring-core but report to spring framework webflux #1330

Closed
sekveaja opened this issue Jun 1, 2023 · 1 comment
Closed

False Positive: CVE-2021-22118 using spring-core but report to spring framework webflux #1330

sekveaja opened this issue Jun 1, 2023 · 1 comment
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive:cpe This issue is a report of a false positive cause by CPE matching

Comments

@sekveaja
Copy link

sekveaja commented Jun 1, 2023

What happened:

   Using Spring-Core 5.3.3: 
   "package_cpe23": "cpe:2.3:a:springsource-spring-framework:springsource_spring_framework:5.3.3:*:*:*:*:*:*:*",
   "package_path": "...<stripped_path>..../WEB-INF/lib/spring-core-5.3.3.jar",

    Grype reported with CVE-2021-22118  which is related to Spring Webflux, completely different application.
    Therefore, it is a false positive.

What you expected to happen:
Should not report on Spring-Core.

Environment:

  • Output of grype version: 0.61.1
  • OS (e.g: cat /etc/os-release or similar):
    VERSION="15-SP4"
    VERSION_ID="15.4"
@sekveaja sekveaja added the bug Something isn't working label Jun 1, 2023
@tgerla tgerla added the false-positive:cpe This issue is a report of a false positive cause by CPE matching label Jun 14, 2023
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label Apr 19, 2024
@willmurphyscode
Copy link
Contributor

Hi @sekveaja, thanks for the report!

I'm no longer able to reproduce this issue:

wget 'https://repo1.maven.org/maven2/org/springframework/spring-core/5.3.0/spring-core-5.3.0.jar'
echo "FROM alpine:latest\n\nADD ./spring-core-5.3.0.jar /\n" | docker build -f - . -t testimage
grype -q testimage | grep -e CVE-2021-22118 -e GHSA-gfwj-fwqj-fp3v # the cve or its GHSA alias
# prints nothing

But if I run the match with Java CPE matching turned on, the FP is present:

$ GRYPE_MATCH_JAVA_USING_CPES=true grype -q testimage | grep -e CVE-2021-22118 -e GHSA-gfwj-fwqj-fp3v
spring-core    5.3.0                 java-archive  CVE-2021-22118       High

That means this FP was fixed by the switch from using CPEs to using GHSA language + version data for Java matches by default.

I'll close this issue as completed, since this FP is no longer present in default grype behavior, but please let me know if I've missed something.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive:cpe This issue is a report of a false positive cause by CPE matching
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgerla @willmurphyscode @sekveaja