Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on sentry and other libs #280

Closed
anandgia opened this issue Apr 6, 2021 · 3 comments
Closed

False positive on sentry and other libs #280

anandgia opened this issue Apr 6, 2021 · 3 comments
Labels
bug Something isn't working false-positive

Comments

@anandgia
Copy link

anandgia commented Apr 6, 2021

What happened:

We scanned an amazon linux image which has a sentry client jar. This found a bunch of false positive CVEs like these which are in mobileiron and sentry. It appears underling os is not being looked at properly.

sentry 1.7.27 CVE-2014-1409 Critical
sentry 1.7.27 CVE-2018-8028 High
sentry 1.7.27 CVE-2013-7287 Critical
sentry 1.7.27 CVE-2020-8887 High
sentry 1.7.27 CVE-2020-15506 Critical
sentry 1.7.27 CVE-2020-15507 High
sentry 1.7.27 CVE-2013-7286 High

What you expected to happen:

No CVEs should be reported against sentry

How to reproduce it (as minimally and precisely as possible):

Run an amazon linux docker with sentry client jar bundled.

Anything else we need to know?:

Environment:

  • Output of grype version:
$ grype version
Application:          grype
Version:              0.9.0
BuildDate:            2021-03-26T12:16:56Z
GitCommit:            7ce9ef647ed415334920538fdaeb451876e52f4c
GitTreeState:         clean
Platform:             darwin/amd64
GoVersion:            go1.14.15
Compiler:             gc
Supported DB Schema:  1
  • OS (e.g: cat /etc/os-release or similar):
sh-4.2# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
sh-4.2# find . -name sentry*
./home/appuser/app/lib/sentry-log4j2-1.7.27.jar
./home/appuser/app/lib/sentry-1.7.27.jar
@anandgia anandgia added the bug Something isn't working label Apr 6, 2021
@luhring
Copy link
Contributor

luhring commented Apr 16, 2021

Hi @anandgia, thanks for the issue!

Adding my own steps to reproduce:

I used this Dockerfile:

FROM amazonlinux:latest

RUN yum install -y maven

WORKDIR /app
COPY ./pom.xml ./

RUN mvn dependency:sources

Using this pom.xml:

<project>
  <modelVersion>4.0.0</modelVersion>

  <groupId>com.mycompany.app</groupId>
  <artifactId>my-app</artifactId>
  <version>1</version>
  <dependencies>
    <dependency>
      <groupId>io.sentry</groupId>
      <artifactId>sentry</artifactId>
      <version>4.4.0-alpha.2</version>
    </dependency>
  </dependencies>
</project>

I'm seeing similar results. Here's one example CPE that leads to a match: "cpe:2.3:a:*:sentry:4.4.0-alpha.2-sources:*:*:*:*:java:*:*".

@luhring
Copy link
Contributor

luhring commented Sep 15, 2021

Hi @anandgia — could you try this again using the latest release of Grype? I find I'm no longer able to reproduce this, but I'm curious what you're seeing.

@anandgia
Copy link
Author

Looks fine now @luhring thanks !

@luhring luhring closed this as completed Sep 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@luhring @anandgia