Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java packages sometimes missing version information #504

Closed
ahrycej opened this issue Nov 19, 2021 · 5 comments
Closed

Java packages sometimes missing version information #504

ahrycej opened this issue Nov 19, 2021 · 5 comments
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@ahrycej
Copy link

ahrycej commented Nov 19, 2021
edited by kzantow
Loading

What happened:
Anchore Enterprise finds vulnerabilities in docker image in tomcat-jdbc.jar (docker image with tomcat 8.5.72)
Grype finds vulnerabilities in docker image in tomcat-jdbc.jar
No version reported

/home/xxx/bin/grype tomcat-runtime-xxx.tar -vvv
...
[0007] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=tomcat-jdbc, version=)
[0007] DEBUG found 22 vulnerabilities for pkg=Pkg(type=java-archive, name=tomcat-jdbc, version=)
...
[0007] DEBUG ├── vuln="CVE-2002-0493" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"]} foundBy="java-matcher"
...
[0007] DEBUG └── vuln="CVE-2020-8022" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"]} foundBy="java-matcher"
...
tomcat-jdbc CVE-2002-0493 High
tomcat-jdbc CVE-2013-2185 High
tomcat-jdbc CVE-2016-5425 High
tomcat-jdbc CVE-2016-6325 High
tomcat-jdbc CVE-2020-8022 High

What you expected to happen:

Officially disputed vulnerabilities or vulnerabilities with no CVSS score in the e.g. NIST database or sw provider score are not listed or at least marked. Example: CVE-2013-2185

Fuzzy match -> is it working? We have latest tomcat 8.5.72 -> how grype matches the vulnerabilities, we dont understand what is behind the method

How to reproduce it (as minimally and precisely as possible):
run anchore and/or grype
using
https://hub.docker.com/_/tomcat?tab=tags&page=1&name=8.5.72

Anything else we need to know?:

Environment:
We run it in our own mirroring repo as we do not have direct access to dockerhub. Mirror is up to date.
Part of the output:

[0007] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=tomcat-jdbc, version=)
[0007] DEBUG found 22 vulnerabilities for pkg=Pkg(type=java-archive, name=tomcat-jdbc, version=)
...
[0007] DEBUG ├── vuln="CVE-2002-0493" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"]} foundBy="java-matcher"
...
[0007] DEBUG └── vuln="CVE-2020-8022" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"]} foundBy="java-matcher"
...
tomcat-jdbc CVE-2002-0493 High
tomcat-jdbc CVE-2013-2185 High
tomcat-jdbc CVE-2016-5425 High
tomcat-jdbc CVE-2016-6325 High
tomcat-jdbc CVE-2020-8022 High
@ahrycej ahrycej added the bug Something isn't working label Nov 19, 2021
@luhring
Copy link
Contributor

luhring commented Nov 24, 2021

Thanks @ahrycej!

It looks like we're surfacing packages without a version. Here's the Grype JSON for a scan I just ran on tomcat:8.5.72:
tomcat-8.5.72.grype.json.tar.gz

This needs more investigation. cc: @wagoodman

@arduent
Copy link

arduent commented Dec 13, 2021

I'm running tomcat 10.0.14 and seeing false positives.

grype dir:/java/tomcat --scope all-layers

tomcat-jdbc CVE-2000-1210 Medium
tomcat-jdbc CVE-2001-0590 Medium
tomcat-jdbc CVE-2002-0493 High
tomcat-jdbc CVE-2005-4838 Medium
tomcat-jdbc CVE-2006-7196 Medium
tomcat-jdbc CVE-2007-1358 Low
tomcat-jdbc CVE-2007-2449 Medium
tomcat-jdbc CVE-2008-0128 Medium
tomcat-jdbc CVE-2009-2696 Medium
tomcat-jdbc CVE-2013-2185 High
tomcat-jdbc CVE-2013-4286 Medium
tomcat-jdbc CVE-2013-4322 Medium
tomcat-jdbc CVE-2013-4444 Medium
tomcat-jdbc CVE-2013-4590 Medium
tomcat-jdbc CVE-2013-6357 Medium
tomcat-jdbc CVE-2014-0075 Medium
tomcat-jdbc CVE-2014-0096 Medium
tomcat-jdbc CVE-2014-0099 Medium
tomcat-jdbc CVE-2014-0119 Medium
tomcat-jdbc CVE-2016-5425 High
tomcat-jdbc CVE-2016-6325 High
tomcat-jdbc CVE-2020-8022 High

@ahrycej
Copy link
Author

ahrycej commented Dec 13, 2021
edited
Loading

for us the issue is that we dont use the package manager when adding tomcat and version is not present. For our tomcat version that is 8.5.72 these are all false positive. I had a case open with anchore enterprise. Regards. Anna

@kzantow kzantow self-assigned this Dec 13, 2021
@kzantow kzantow mentioned this issue Dec 13, 2021
Merged
@kzantow
Copy link
Contributor

kzantow commented Dec 13, 2021

I tracked this down to the tomcat-jdbc.jar manifest only including a Bundle-Version when Syft catalogs it. There's a PR for it here: anchore/syft#677

@luhring
Copy link
Contributor

luhring commented Dec 14, 2021

@kzantow Just for my understanding, is that fix handling the missing versions, or additionally this request below?

What you expected to happen:

Officially disputed vulnerabilities or vulnerabilities with no CVSS score in the e.g. NIST database or sw provider score are not listed or at least marked

@kzantow kzantow closed this as completed Dec 16, 2021
@wagoodman wagoodman changed the title tomcat-jdbc.jar vulnerabilities java packages sometimes missing version information Dec 22, 2021
@wagoodman wagoodman changed the title java packages sometimes missing version information Java packages sometimes missing version information Dec 22, 2021
@brennoo brennoo mentioned this issue Sep 28, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kzantow @luhring @arduent @ahrycej