Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong CPE for dnsmasq #2636

Closed
edhinard opened this issue Feb 14, 2024 · 2 comments · Fixed by #2659
Closed

Wrong CPE for dnsmasq #2636

edhinard opened this issue Feb 14, 2024 · 2 comments · Fixed by #2659
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@edhinard
Copy link

What happened:
syft+grype do not detect a vulnerable version of dnsmasq on an OpenWRT device.

What you expected to happen:
One of the reason could be that syft builds the wrong CPE: a:dnsmasq:dnsmasq:2.86-17 instead of a:thekelleys:dnsmasq:2.86 (NVD search)

Steps to reproduce the issue:
Let's try to reproduce partialy on a alpine container:

cat << EOF > Dockerfile
FROM alpine:3.16
RUN apk add dnsmasq
EOF
docker build -t dnsmasqalpine .
$ /opt/syft -q scan docker:dnsmasqalpine -o json= | jq '.artifacts[] | select(.name=="dnsmasq") | .cpes'
[
  "cpe:2.3:a:dnsmasq:dnsmasq:2.86-r4:*:*:*:*:*:*:*"
]

The vendor part is not the expected one. Maybe that comes from the incomplete metadata:

$ /opt/syft -q scan docker:dnsmasqalpine -o json= | jq '.artifacts[] | select(.name=="dnsmasq") | .metadata'
{
  "package": "dnsmasq",
  "originPackage": "dnsmasq",
  "maintainer": "Natanael Copa <ncopa@alpinelinux.org>",
  "version": "2.86-r4",
  "architecture": "x86_64",
  "url": "https://www.thekelleys.org.uk/dnsmasq/",
  "description": "A lightweight DNS, DHCP, RA, TFTP and PXE server",
...

Anything else we need to know?:
In this particular case of alpine, the identification is OK and the syft+grype tandem gives expected result thanks to the correct info in the database:

pk id package_name namespace version_constraint version_format cpes related_vulnerabilities fixed_in_versions fix_state
318326 CVE-2022-0934 dnsmasq alpine:distro:alpine:3.16 < 2.86-r1 apk [{"id":"CVE-2022-0934","namespace":"nvd:cpe"}] ["2.86-r1"] fixed
319506 CVE-2023-28450 dnsmasq alpine:distro:alpine:3.16 < 2.86-r4 apk [{"id":"CVE-2023-28450","namespace":"nvd:cpe"}] ["2.86-r4"] fixed

However on the tested Openwrt device and without any specific namespace there is no match with grype database though some entries are present with the right CPE:

pk id package_name namespace version_constraint version_format cpes related_vulnerabilities fixed_in_versions fix_state
237101 CVE-2021-45951 dnsmasq nvd:cpe = 2.86 unknown ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] unknown
237102 CVE-2021-45952 dnsmasq nvd:cpe = 2.86 unknown ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] unknown
237103 CVE-2021-45953 dnsmasq nvd:cpe = 2.86 unknown ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] unknown
237104 CVE-2021-45954 dnsmasq nvd:cpe = 2.86 unknown ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] unknown
237105 CVE-2021-45955 dnsmasq nvd:cpe = 2.86 unknown ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] unknown
237106 CVE-2021-45956 dnsmasq nvd:cpe = 2.86 unknown ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] unknown
237107 CVE-2021-45957 dnsmasq nvd:cpe = 2.86 unknown ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] unknown
238726 CVE-2022-0934 dnsmasq nvd:cpe < 2.87 unknown ["cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*"] unknown
271623 CVE-2023-28450 dnsmasq nvd:cpe < 2.90 unknown ["cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*"] unknown
@edhinard edhinard added the bug Something isn't working label Feb 14, 2024
@edhinard
Copy link
Author

Trying to reproduce with an openwrt container:

  1. Fetch the image
docker import http://downloads.openwrt.org/attitude_adjustment/12.09/x86/generic/openwrt-x86-generic-rootfs.tar.gz openwrt-x86-generic-rootfs
  1. List the CPE
$ /opt/syft -q scan docker:openwrt-x86-generic-rootfs -o json= | jq '.artifacts[] | select(.name=="dnsmasq") | .cpes'
[
  "cpe:2.3:a:dnsmasq:dnsmasq:2.62-2:*:*:*:*:*:*:*"
]
[
  "cpe:2.3:a:dnsmasq:dnsmasq:2.62-2:*:*:*:*:*:*:*"
]
  1. no CVE found for dnsmasq
$ /opt/syft -q scan docker:openwrt-x86-generic-rootfs -o json= | /opt/grype sbom:-
NAME          INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY 
libcrypto1.1  1.1.1w-r1            apk   CVE-2024-0727  Medium    
libssl1.1     1.1.1w-r1            apk   CVE-2024-0727  Medium

Expecting CVE-2022-0934 and CVE-2023-28450 that are in grype DB

@kzantow kzantow self-assigned this Feb 21, 2024
@kzantow
Copy link
Contributor

kzantow commented Feb 22, 2024

I've done a little bit of research about this, and added a draft PR that updates the CPE to include the right vendor for apk and dpkg. HOWEVER, there's still another issue that prevents any vulnerabilities from showing up for the openwrt dnsmasq: this is identified as a Debian package, so Grype only uses Debian matchers. We will hopefully be able to identify these as not official Debian packages (see: #2657) which should fix the issue there. The change does work for the alpine docker image.

@kzantow kzantow mentioned this issue Feb 22, 2024
Merged
@BrewTestBot BrewTestBot mentioned this issue May 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add correct vendor for dnsmasq CPE kzantow-anchore/syft
2 participants
@kzantow @edhinard