Suppress invalid CVE-2016-1000027 #773
Comments
|
+1 Please suppress this invalid CVE, as it is stopping a lot of people using Grype to continue with a certain application deployment... The security scanning step is stopping the CI/CD pipelines and preventing customers to go to production with new releases. |
|
Thanks for the bump on this issue @Turbots and thank you @ThomasVitale for filing the issue. I'm working on closing a PR for grype at the moment and then will pick this up and resolve the FP based on the evidence provided and related support that's been listed. |
|
@Turbots while we work on a fix that possibly lowers the severity of this vulnerability in the grype feed service you can specify matches you'd like to ignore via the ignore configuration linked below: If this does not work for you let me know if there are other workarounds to explore that can unblock the production gates |
|
This issue is a lovely example of many hurdles the current vulnerability ecosystem suffers from (on a side note, the Cloud Security Alliance has a project called GSD to try to discuss and solve many of these problems) I'm going to ignore the discussion of if this should or shouldn't have an ID. I think that's more art than science at this point. But I do think we can all agree the severity is pretty 🍌 This is not a critical issue by itself. Unfortunately CVSS is not capable of scoring something like this because the ID is completely dependent on the use case of a framework. This is like demanding a lumber yard tell you how strong of an earthquake a stack wood can withstand if you build a house with it. I would give this a CVSS3.1 score of 0 That said, there is value in having this ID around even as low. It provides an opportunity for spring users to take steps to ensure they are not deserializing untrusted data. I would prefer we fix the severity instead of completely removing the ID from our data set. If anyone has opinions on this matter please speak up, this will help define future policy decisions around the Grype data |
spiffcs
moved this from Backlog (Pulled Forward for Priority)
to In Progress (Actively Resolving)
in OSS
spiffcs
moved this from In Progress (Actively Resolving)
to Triage (Comments or Progress Made)
in OSS
|
We encountered the same issue on the following environment
Jenkins
|
|
This affects everybody that uses spring ... please fix it soon. @OfriOuzan great analysis! |
|
Hi all, Since this issue was opened, Grype has switched from using CVE data to using GHSA data by default for Java packages. We still find the GHSA version of this issue, GHSA-4wrc-f8pq-fpqp, and it is still marked as critical. From Grype's perspective, we are correctly reporting what the upstream data source says. But, since we use GHSA now, it's possible for users to seek to correct the data by raising an issue or PR against https://github.com/github/advisory-database. If such a correction is accepted up stream, Grype will results will reflect the corrected data after about 24 hours. |
What happened:
The CVE-2016-1000027 is flagged as critical for applications using any 5.x version of the Spring Framework.
What you expected to happen:
The Spring team has explained that the CVE is invalid (spring-projects/spring-framework#24434 and details spring-projects/spring-framework#24434 (comment)), so I would expect grype not to flag it. An open issue also exists to reject this CVE: CVEProject/cvelist#5949.
How to reproduce it (as minimally and precisely as possible):
Scan with grype any application using any 5.x version of the Spring Framework.
The text was updated successfully, but these errors were encountered: