Grype inconsistence output squashed and all-layers representation

[workerus]

What happened:

$ grype libtiff_dev:test
:
✔ Cataloged packages [140 packages]
✔ Scanned image [6 vulnerabilities]

$ grype libtiff_dev:test --scope all-layers
:
✔ Cataloged packages [130 packages] <===
✔ Scanned image [0 vulnerabilities] <===
No vulnerabilities found

What you expected to happen:
My understanding correct me if i am wrong is that in the results there should be reported same or more vulnerabilities and packages with "--scope all-layers" option rather than with default squashed scanning.

How to reproduce it (as minimally and precisely as possible):

Build image from Docker file with following content.

FROM registry.suse.com/bci/bci-base:15.3.17.20.12

RUN zypper in -y --no-recommends libtiff-devel=4.0.9-150000.45.8.1

and scan the image with two options mentioned above.

Anything else we need to know?:

Environment:

• Output of grype version:

$ grype version
Application: grype
Version: 0.47.0
Syft Version: v0.54.0
BuildDate: 2022-08-18T00:35:51Z
GitCommit: 08b4ef4
GitDescription: v0.47.0
Platform: linux/amd64
GoVersion: go1.18.1
Compiler: gc
Supported DB Schema: 4

• OS (e.g: cat /etc/os-release or similar):
  Ubuntu 18.04.5 LTS \n \l

[tgerla]

Hi @workerus, thanks for the report. I am working to reproduce, but I could use a little help. I am using your Dockerfile contents but when I build it, I get:

#5 4.664 Package 'libtiff-devel-4.0.9-150000.45.8.1' not found.

Removing the "150000.45.8.1" part of the version like this:

RUN zypper in -y --no-recommends libtiff-devel-4.0.9

...builds successfully, but grype returns 0 vulnerabilities for both commands. Running syft on my image shows me that it's pulling in this version of libtiff-devel:

libtiff-devel            4.0.9-150000.45.11.1                    rpm

...which maybe doesn't have the 4 vulnerabilities.

I am not a SuSE expert, do you know if perhaps there's a way for me to get a hold of the older version of libtiff-devel?

Thanks for the report, and thanks for the help reproducing!

Tim

[workerus]

Thank you Tim @tgerla for checking it. Please try to build image with the following Dockerfile:

FROM registry.suse.com/suse/sle15:15.3.17.20.20

RUN zypper ar --gpgcheck-strict -f http://download.opensuse.org/distribution/leap/15.3/repo/oss LEAP_15.3 \
    && zypper --gpg-auto-import-keys refresh -f -r LEAP_15.3 \
    && zypper in -y libtiff-devel=4.0.9-5.30.28

and scan this image:

./grype libtiff-devel
✔ Vulnerability DB [updated]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [143 packages]
✔ Scanned image [38 vulnerabilities]

./grype libtiff-devel --scope all-layers
✔ Vulnerability DB [no update available]
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [130 packages]
✔ Scanned image [0 vulnerabilities]
No vulnerabilities found

[tgerla]

OK, I have it showing the same results now. We will investigate and get back to you. Thanks for the update!

[kzantow]

This should be corrected in the latest Grype release - v0.59.0, please let us know if it is not!