Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive of CVE-2020-16250 and CVE-2020-16251 #712

Closed
sudo-bmitch opened this issue Apr 7, 2022 · 1 comment
Closed

False positive of CVE-2020-16250 and CVE-2020-16251 #712

sudo-bmitch opened this issue Apr 7, 2022 · 1 comment
Labels
bug Something isn't working false-positive

Comments

@sudo-bmitch
Copy link

What happened:

I'm getting some false positives on github.com/hashicorp/vault/api because Grype sees api/v1.5.0 as the same as v1.5.0.

Similar things happened with the sdk release.

What you expected to happen:

No false positives.

How to reproduce it (as minimally and precisely as possible):

$ docker run -it --rm anchore/grype:v0.34.7 \
    ghcr.io/sigstore/cosign/cosign:d03404e0ca690aea929ee68376fd3244aac8eea9

...
github.com/hashicorp/vault/api    v1.5.0                         CVE-2020-25816       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-43998       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2020-16251       Critical    
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-27400       High        
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-3024        Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-38553       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-27668       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-32923       High        
github.com/hashicorp/vault/api    v1.5.0                         CVE-2020-16250       Critical    
github.com/hashicorp/vault/api    v1.5.0                         CVE-2020-35177       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-41802       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-45042       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2020-25594       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2020-35453       Medium      
github.com/hashicorp/vault/api    v1.5.0                         CVE-2021-38554       Medium      
github.com/hashicorp/vault/sdk    v0.4.1                         CVE-2020-13223       High        
github.com/hashicorp/vault/sdk    v0.4.1                         CVE-2020-25594       Medium      
github.com/hashicorp/vault/sdk    v0.4.1                         CVE-2018-19786       High        
github.com/hashicorp/vault/sdk    v0.4.1                         CVE-2021-38554       Medium      
github.com/hashicorp/vault/sdk    v0.4.1                         CVE-2021-41802       Medium      
github.com/hashicorp/vault/sdk    v0.4.1                         CVE-2021-3024        Medium      
github.com/hashicorp/vault/sdk    v0.4.1                         CVE-2021-27400       High        
...

Anything else we need to know?:

I'm probably just as confused by Vault's versioning as you are.

Environment:

  • Output of grype version:
$ docker run -it --rm anchore/grype:v0.34.7 version
Application:          grype
Version:              0.34.7
Syft Version:         v0.42.4
BuildDate:            2022-03-24T19:36:25Z
GitCommit:            44e676488efe4ab4fd63438bbce539777a2b8922
GitDescription:       v0.34.7
Platform:             linux/amd64
GoVersion:            go1.18
Compiler:             gc
Supported DB Schema:  3
  • OS (e.g: cat /etc/os-release or similar):

This is in a container, Docker on Debian Linux.
@sudo-bmitch sudo-bmitch added the bug Something isn't working label Apr 7, 2022
@sudo-bmitch sudo-bmitch mentioned this issue Apr 8, 2022
Merged
@nurmi
Copy link
Member

nurmi commented Jul 12, 2022

hi @sudo-bmitch - the reason for this mismatch looks like it was related to the CPE that was being generated against the hashicorp artifacts in syft 0.42.4. Later versions (v0.47 and later) generate a more descriptive CPE that includes the api/sdk metadata, which should resolve this FP finding. Closing the ticket but please let us know if you have additional concerns on this particular finding!

# docker run -it --rm anchore/grype:latest -q ghcr.io/sigstore/cosign/cosign:d03404e0ca690aea929ee68376fd3244aac8eea9 | grep hashicorp
...
(no more false positive results)
...

@nurmi nurmi closed this as completed Jul 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@westonsteimel @nurmi @sudo-bmitch