Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reporting the relevant CVE number when GHSA is reported #204

Closed
wagde-orca opened this issue Nov 10, 2020 · 6 comments · Fixed by #1020
Closed

reporting the relevant CVE number when GHSA is reported #204

wagde-orca opened this issue Nov 10, 2020 · 6 comments · Fixed by #1020
Assignees
@wagoodman
Labels
enhancement New feature or request

Comments

@wagde-orca
Copy link

What would you like to be added:
when running grype sometimes we see GHSA in the results but not the CVE like:
struts2-core 2.5.5 2.5.12 GHSA-9gp7-jvm2-r4mx Medium
it would be nice to add to the json file the CVE id, in this case CVE-2017-7672
Why is this needed:
I believe working with CVE is more natural than the GHSA
several products report the vulnerabilities as CVEs,
and in grype having unified representation for the vulnerabilities as CVE is better than having CVE and GHSA

Additional context:
@wagde-orca wagde-orca added the enhancement New feature or request label Nov 10, 2020
@luhring
Copy link
Contributor

luhring commented Nov 17, 2020

Hi @wagde-orca, this makes a lot of sense, and it's something we've talked about internally. We'll discuss and figure out next steps.

@wagde-orca
Copy link
Author

Hi @luhring @wagoodman
Any update on this?

@luhring
Copy link
Contributor

luhring commented Dec 10, 2020

Hi @wagde-orca! Not yet. We'll update the issue when there's movement on this. 👍

@andresmascl
Copy link

andresmascl commented Jun 24, 2022
edited
Loading

Hi there! Have there been any updates regarding this feature? Thank you!

@spiffcs
Copy link
Contributor

spiffcs commented Jul 21, 2022

@wagde-orca is this still an issue for you? In the case you posed a CVE was eventually added to the record and I believe it is now being output in grype correctly. If this is not the case or you feel that we should make updates in the case where a CVE is not present on the GHSA let me know and we can get a patch in.

@joshbressers
Copy link
Contributor

As we expect to see more feeds in the future, we will have to deal with overlapping IDs from the various ecosystems. In the event there is a CVE ID it is uncontroversial to expect that should be used.

What do we do when there is no CVE ID?

For example if we look at this
GHSA-4vmm-mhcq-4x9j

It's a critical issue in the NPM package constantinople. It has no CVE ID. It does have an NPM ID of 568 (which currently redirects to the GHSA, but you get the basic idea). In a case like this which ID should we use?

Let's imagine we have a GHSA and NPM vulnerability feed.

We could defer to the GHSA and print only that assuming the NPM ID metadata references the GHSA. We could just print both IDs and let the end user sort it out.

My suspicion is we should treat CVE and GHSA special and defer to those two identifier types if available. Otherwise just print the ecosystem identifiers and not try to de-duplicate the output.

@gh-greg gh-greg mentioned this issue Oct 19, 2022
Closed
@wagoodman wagoodman self-assigned this Nov 9, 2022
@wagoodman wagoodman mentioned this issue Nov 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wagoodman wagoodman

Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Optionally orient results by CVE anchore/grype
6 participants
@wagoodman @joshbressers @luhring @andresmascl @spiffcs @wagde-orca