Indicate location of vulnerability

[jax79sg]

What would you like to be added:
Add library location and software dependancy on scan output.

Why is this needed:
The grype output only indicate the library/package. However it doesn't give a reference to where its hosted and which software might have installed it. This info is needed for vulnerability mitigation.

Additional context:

[wagoodman]

Hey @jax79sg , I want to make certain I understand the specific request here. I wanted to start with what information that is most similar to what you're asking for today to see what the differences might be.

Here's an example from scanning ubuntu:latest this morning with the -o json flag to get as much information as possible (the default table output summarizes each vulnerability finding):

  {
   "vulnerability": {
    "id": "CVE-2021-38604",
    "dataSource": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-38604",
    "namespace": "ubuntu:20.04",
    "severity": "Medium",
    "urls": [
     "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-38604"
    ],
    "cvss": [],
    "fix": {
     "versions": [],
     "state": "not-fixed"
    },
    "advisories": []
   },
   "relatedVulnerabilities": [
    {
     "id": "CVE-2021-38604",
     "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-38604",
     "namespace": "nvd",
     "severity": "High",
     "urls": [
      "https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641",
      "https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8",
      "https://sourceware.org/bugzilla/show_bug.cgi?id=28213",
      "https://blog.tuxcare.com/cve/tuxcare-team-identifies-cve-2021-38604-a-new-vulnerability-in-glibc",
      "https://security.netapp.com/advisory/ntap-20210909-0005/",
      "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GYEXYM37RCJWJ6B5KQUYQI4NZBDDYSXP/"
     ],
     "description": "In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.",
     "cvss": [
      {
       "version": "2.0",
       "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
       "metrics": {
        "baseScore": 5,
        "exploitabilityScore": 10,
        "impactScore": 2.9
       },
       "vendorMetadata": {}
      },
      {
       "version": "3.1",
       "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
       "metrics": {
        "baseScore": 7.5,
        "exploitabilityScore": 3.9,
        "impactScore": 3.6
       },
       "vendorMetadata": {}
      }
     ]
    }
   ],
   "matchDetails": [
    {
     "matcher": "dpkg-matcher",
     "searchedBy": {
      "distro": {
       "type": "ubuntu",
       "version": "20.04"
      },
      "namespace": "ubuntu:20.04",
      "package": {
       "name": "glibc",
       "version": "2.31-0ubuntu9.2"
      }
     },
     "found": {
      "versionConstraint": "none (deb)"
     }
    }
   ],
   "artifact": {
    "name": "libc6",
    "version": "2.31-0ubuntu9.2",
    "type": "deb",
    "locations": [
     {
      "path": "/var/lib/dpkg/status",
      "layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
     },
     {
      "path": "/var/lib/dpkg/info/libc6:amd64.md5sums",
      "layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
     },
     {
      "path": "/var/lib/dpkg/info/libc6:amd64.conffiles",
      "layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
     },
     {
      "path": "/usr/share/doc/libc6/copyright",
      "layerID": "sha256:9f54eef412758095c8079ac465d494a2872e02e90bf1fb5f12a1641c0d1bb78b"
     }
    ],
    "language": "",
    "licenses": [
     "GPL-2",
     "LGPL-2.1"
    ],
    "cpes": [
     "cpe:2.3:a:libc6:libc6:2.31-0ubuntu9.2:*:*:*:*:*:*:*"
    ],
    "purl": "pkg:deb/ubuntu/libc6@2.31-0ubuntu9.2?arch=amd64",
    "metadata": {
     "Source": "glibc"
    }
   }
  },

The main sections for each vulnerability are:

• vulnerability: all information on the specific vulnerability that was directly matched on (e.g. ID, severity, CVSS score, fix information, links for more information)
• relatedVulnerabilities: maybe the vulnerability we matched on was a GitHub Security Advisory, which has an upstream CVE (in the authoritative national vulnerability database)... in these cases we list the upstream vulnerabilities here
• matchDetails: this section tries to explain what we searched for while looking for a match and exactly what details on the package and vulnerability that lead to a match.
• artifact: this is a subset of the information that we know about the package (when compared to the Syft json output, we summarize the metadata section). This has information about where within the container image or directory we found the package, what kind of package it is, licensing info, pURLs, CPEs, etc).

The relevant json paths for what you may be asking for could be:

• artifact.locations[]: these files are the "evidence" of the existence of the package (and related files from metadata that the evidence may have indicated)
• artifact.type: this is the packaging ecosystem which the package exists within, so for this case deb indicates that this was probably installed by a dpkg or apt command.
• vulnerability.dataSource: this is where we got all of the information for the vulnerability that we matched against.

@jax79sg let me know if the output here doesn't meet what you're looking for!

[schoppet]

@jax79sg

I think this template gives the desired csv output:

csv.tmpl file:

"Package","Version Installed","Vulnerability ID","Severity","Location",
{{- range .Matches}}
"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}","{{.Artifact.locations}}"
{{- end}}

 grype dir:/home/mine -o template -t /app/csv.tmpl

"Package","Version Installed","Vulnerability ID","Severity","Location",
"commons-collections","3.2.1","CVE-2015-6420","High","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"commons-collections","3.2.1","CVE-2017-15708","Critical","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"commons-beanutils","1.9.2","CVE-2019-10086","High","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"log4j","1.2.17","CVE-2019-17571","Critical","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"log4j","1.2.17","CVE-2020-9488","Low","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"commons-io","2.3","CVE-2021-29425","Medium","[Location<RealPath="marc2mods/NALCommonUtil/git/lib/commons-io-2.3.jar">]"
"commons-io","2.3","CVE-2021-29425","Medium","[Location<RealPath="marc2mods/NALCommonUtil.jar">]"
"log4j","1.2.17","GHSA-2qrg-x229-3v8q","Critical","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"commons-collections","3.2.1","GHSA-6hgm-866r-3cjv","High","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"commons-beanutils","1.9.2","GHSA-6phf-73q6-gh87","High","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"log4j","1.2.17","GHSA-fp5r-v3w9-4333","High","[Location<RealPath="nalt2skos/nalt2skos.jar">]"
"commons-io","2.3","GHSA-gwrp-pvrq-jmwv","Medium","[Location<RealPath="marc2mods/NALCommonUtil.jar">]"
"commons-io","2.3","GHSA-gwrp-pvrq-jmwv","Medium","[Location<RealPath="marc2mods/NALCommonUtil/git/lib/commons-io-2.3.jar">]"

cc: @wagoodman

[sparrowt]

I've opened #694 to include the Package/Artifact Type in the default table output which might be a step in the right direction.

[spiffcs]

Since there has been no response from the original author on this and the location is correctly included in the grype output I'm going to close this issue for now. @sparrowt it looks like @luhring has responded on your PR so that should be moving along through our PR process and does not need to be filed on top of this issue.

[adriens]

👏

[adriens]

Working perfectly good https://dev.to/optnc/grype-0350-new-feature-indicate-location-of-vulnerability-1pam
Its now part of our stack.
Thanks a lot guys 🎆