-
Notifications
You must be signed in to change notification settings - Fork 551
-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Indicate location of vulnerability #561
Comments
Hey @jax79sg , I want to make certain I understand the specific request here. I wanted to start with what information that is most similar to what you're asking for today to see what the differences might be. Here's an example from scanning {
"vulnerability": {
"id": "CVE-2021-38604",
"dataSource": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-38604",
"namespace": "ubuntu:20.04",
"severity": "Medium",
"urls": [
"http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-38604"
],
"cvss": [],
"fix": {
"versions": [],
"state": "not-fixed"
},
"advisories": []
},
"relatedVulnerabilities": [
{
"id": "CVE-2021-38604",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-38604",
"namespace": "nvd",
"severity": "High",
"urls": [
"https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641",
"https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8",
"https://sourceware.org/bugzilla/show_bug.cgi?id=28213",
"https://blog.tuxcare.com/cve/tuxcare-team-identifies-cve-2021-38604-a-new-vulnerability-in-glibc",
"https://security.netapp.com/advisory/ntap-20210909-0005/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GYEXYM37RCJWJ6B5KQUYQI4NZBDDYSXP/"
],
"description": "In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.",
"cvss": [
{
"version": "2.0",
"vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"metrics": {
"baseScore": 5,
"exploitabilityScore": 10,
"impactScore": 2.9
},
"vendorMetadata": {}
},
{
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 7.5,
"exploitabilityScore": 3.9,
"impactScore": 3.6
},
"vendorMetadata": {}
}
]
}
],
"matchDetails": [
{
"matcher": "dpkg-matcher",
"searchedBy": {
"distro": {
"type": "ubuntu",
"version": "20.04"
},
"namespace": "ubuntu:20.04",
"package": {
"name": "glibc",
"version": "2.31-0ubuntu9.2"
}
},
"found": {
"versionConstraint": "none (deb)"
}
}
],
"artifact": {
"name": "libc6",
"version": "2.31-0ubuntu9.2",
"type": "deb",
"locations": [
{
"path": "/var/lib/dpkg/status",
"layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
},
{
"path": "/var/lib/dpkg/info/libc6:amd64.md5sums",
"layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
},
{
"path": "/var/lib/dpkg/info/libc6:amd64.conffiles",
"layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
},
{
"path": "/usr/share/doc/libc6/copyright",
"layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
}
],
"language": "",
"licenses": [
"GPL-2",
"LGPL-2.1"
],
"cpes": [
"cpe:2.3:a:libc6:libc6:2.31-0ubuntu9.2:*:*:*:*:*:*:*"
],
"purl": "pkg:deb/ubuntu/libc6@2.31-0ubuntu9.2?arch=amd64",
"metadata": {
"Source": "glibc"
}
}
}, The main sections for each vulnerability are:
The relevant json paths for what you may be asking for could be:
@jax79sg let me know if the output here doesn't meet what you're looking for! |
I think this template gives the desired csv output: csv.tmpl file:
grype dir:/home/mine -o template -t /app/csv.tmpl
cc: @wagoodman |
I've opened #694 to include the Package/Artifact |
Since there has been no response from the original author on this and the location is correctly included in the grype output I'm going to close this issue for now. @sparrowt it looks like @luhring has responded on your PR so that should be moving along through our PR process and does not need to be filed on top of this issue. |
👏 |
Working perfectly good https://dev.to/optnc/grype-0350-new-feature-indicate-location-of-vulnerability-1pam |
What would you like to be added:
Add library location and software dependancy on scan output.
Why is this needed:
The grype output only indicate the library/package. However it doesn't give a reference to where its hosted and which software might have installed it. This info is needed for vulnerability mitigation.
Additional context:
The text was updated successfully, but these errors were encountered: