-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not applying Alpine secdb data correctly for "edge" #964
Comments
I did some work this morning on this issue and found that after updating to match against the edge feed there are some new dragons here. New vulnerability list from grype when matching against the edge data
@luhring it looks like packages like Since it's a smaller slice of the library and cut from < 3.0.0 we're matching against the WHOLE of upstream openssl. Do you know if packages like "Yes, we are cut from openssl at comitt=xxxxx, BUT CVE-xxx does not apply since we don't import the (cypher, library, etc) that would the reported vulnerability apply" On the positive side the other FP have gone away and I believe the final zlib entry to be a True Positive
|
Looking more at this it might also be that syft is getting the upstream wrong here Let me see if we can update these packages to use the more precise upstream to show how that affects the data |
When parsing the DB entry in syft for
I think this should be updated to This will narrow the surface area of the edge feed so we can match it against the correct upstream package the libraries were cut from: Here is an example of the results where this upstream data has been fixed and is
|
This is interesting:
pkgname=openssl
pkgver=3.0.5
pkgname=openssl1.1-compat
pkgver=1.1.1q When I go to https://pkgs.alpinelinux.org/package/edge/main/x86/libcrypto1.1# I see it's derived from openssl1.1-compat so I'm thinking I need to learn a bit more about where that |
@spiffcs @wagoodman I think this can maybe be simplified a bit. I've gotten clarification that official releases of Alpine always have three digits -> This means there's no need to look specifically for "alpha", or other version format variations, or an empty string, etc. I know there's a related problem (but distinct from this bug report) where the distro version isn't making it into Grype when the version can't be parsed by hashiVer. As I understand the situation, we can defer solving that, because that results an empty string, which should be recognized as edge because it's not Re: upstream/origin matching, I'm not sure what's going on there, but I'm assuming that's a separate problem from the idea of using edge secfixes. Let me know if I've misunderstood here! |
Summary
Grype does not handle apk matching correctly for "edge" versions of Alpine.
When scanning a container image that uses an "edge" version of Alpine (i.e. a version beyond the last official release), Grype does not apply any secdb fixes to its matching (when it should apply fixes from the "edge" secdb data, that is, from
https://secdb.alpinelinux.org/edge/
).This behavior results in false positives.
Example
We can look at the
alpine:edge
image on Docker Hub. Here's the distro information from Syft:We know this image uses an "edge" version of Alpine, because the latest release of Alpine (today) is
3.16
, yet this image is using3.17_alpha20220715
.Here's what Grype reports for this image:
For this example we'll look at the first reported vulnerability,
busybox
being affected byCVE-2022-28391
(although you can follow these steps for the fourth reported vulnerability (CVE-2018-25032), too).We can look up the secfixes data for busybox:
This shows that for busybox, the vulnerability
CVE-2022-28391
was resolved as of1.35.0-r7
. The version of busybox installed in the image is1.35.0-r18
, which is beyond the fix version and this not affected by CVE-2022-28391, but it's still showing up in Grype's output.Feel free to ping me if you have any questions!
The text was updated successfully, but these errors were encountered: