grype showing disputed CVE in Mariner 2.0

[eric-desrochers]

What happened:

Grype reports DISPUTED CVEs.

For instance, CVE-2023-0687 is not only DISPUTED upstream https://nvd.nist.gov/vuln/detail/CVE-2023-0687
but also in our OVAL file as follows: Not Applicable

https://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/main/cbl-mariner-2.0-oval.xml

    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:13348" version="0">
      <metadata>
        <title>CVE-2023-0687 affecting package glibc 2.35-4</title>
        <affected family="unix">
          <platform>CBL-Mariner</platform>
        </affected>
        <reference ref_id="CVE-2023-0687" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-0687" source="CVE"/>
    ==>    <patchable>Not Applicable</patchable>
        <advisory_id>13348</advisory_id>
        <severity>Critical</severity>
        <description>CVE-2023-0687 affecting package glibc 2.35-4. This CVE either no longer is or was never applicable.</description>
      </metadata>
      <criteria operator="AND">
        <criterion comment="Package glibc is installed with version 2.35-4 or earlier" test_ref="oval:com.microsoft.cbl-mariner:tst:13348000"/>
      </criteria>
    </definition>

What you expected to happen:
We expect grype to not report the CVE with patchable set to 'Not Applicable'.

How to reproduce it (as minimally and precisely as possible):
grype mcr.microsoft.com/cbl-mariner/base/core:2.0

 ✔ Vulnerability DB                [updated]
 ✔ Parsed image                                                                               sha256:1f28c8aa4ec798dfd78fc26e14165be1812c2767b36382e324113ef09afac75f   ✔ Cataloged packages              [72 packages]
 ✔ Scanned for vulnerabilities     [8 vulnerabilities]
   ├── 1 critical, 6 high, 1 medium, 0 low, 0 negligible
   └── 0 fixed
NAME       INSTALLED     FIXED-IN  TYPE  VULNERABILITY   SEVERITY
glibc      2.35-3.cm2              rpm   CVE-2010-4756   Medium
glibc      2.35-3.cm2              rpm   CVE-2021-3998   High
glibc      2.35-3.cm2              rpm   CVE-2023-0687   Critical
libgcc     11.2.0-4.cm2            rpm   CVE-2022-41724  High
libgcc     11.2.0-4.cm2            rpm   CVE-2022-41725  High
libstdc++  11.2.0-4.cm2            rpm   CVE-2022-41724  High
libstdc++  11.2.0-4.cm2            rpm   CVE-2022-41725  High
nghttp2    1.46.0-2.cm2            rpm   CVE-2021-46023  High

Anything else we need to know?:

Environment:

- Output of `grype version`:
Application:          grype
Version:              0.64.1
Syft Version:         v0.85.0
BuildDate:            2023-07-17T20:31:39Z
GitCommit:            43bcf301c445d13360d724971fd089cd7a61ead9
GitDescription:       v0.64.1
Platform:             linux/amd64
GoVersion:            go1.19.10
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

NAME="Common Base Linux Mariner"
VERSION="2.0.20230621"
ID=mariner
VERSION_ID="2.0"
PRETTY_NAME="CBL-Mariner/Linux"
ANSI_COLOR="1;34"
HOME_URL="https://aka.ms/cbl-mariner"
BUG_REPORT_URL="https://aka.ms/cbl-mariner"
SUPPORT_URL="https://aka.ms/cbl-mariner"

[willmurphyscode]

Thanks for the bug report @eric-desrochers!

It sounds like <patchable>Not Applicable</patchable> means we should exclude the vulnerability from our checks.

Are there other statuses in <patchable> or elsewhere that should cause the record to be excluded from matching?

[eric-desrochers]

We have 3 values

True = Fixed
False = Unfixed (Maybe there is no upstream fix available for this CVE, we haven't fixed it , ... it depends)
Not Applicable = This CVE doesn't not affect Mariner.

Could you please make sure 'Not Applicable' is excluded from the scan CVE report ?
Does grype have an parameter to exclude unfixed CVE ?

As a reference:
For instance, trivy as --ignore-unfixed parameter which will exclude the False ones only if this parameter is set.

[willmurphyscode]

Could you please make sure 'Not Applicable' is excluded from the scan CVE report ?

Yes. I'll have a pull request up today.

Does grype have an parameter to exclude unfixed CVE ?

Yes. Grype accepts --only-fixed or --only-notfixed.

[eric-desrochers]

Awesome thanks !

[eric-desrochers]

What version of grype will introduce this change ?

[willmurphyscode]

Hi @eric-desrochers, the fix ended up being in our vulnerability database generation, not in grype itself, so it won't be tied to a grype version. I expect to release the updated vulnerability DB overnight tomorrow, so users of grype should start seeing the fix on Thursday morning.

[robert-thorne]

@willmurphyscode - Thanks for dealing with this issue so quickly :-)

[robert-thorne]

Just verified our code scans against the cbl-mariner images and all the vulnerabilities have now gone from the scan report.

[eric-desrochers]

I confirmed:

$ grype mcr.microsoft.com/cbl-mariner/base/core:2.0
 ✔ Vulnerability DB                [updated]
 ✔ Parsed image                                                                               sha256:67b1e4892c667ff91fa1514c168863ad924f19e18225d93f42b19390b116bdca   ✔ Cataloged packages              [69 packages]
 ✔ Scanned for vulnerabilities     [1 vulnerabilities]
   ├── 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── 0 fixed
NAME   INSTALLED   FIXED-IN  TYPE  VULNERABILITY  SEVERITY
glibc  2.35-3.cm2            rpm   CVE-2010-4756  Medium

$ grype mcr.microsoft.com/cbl-mariner/base/core:2.0 --only-fixed
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                               sha256:67b1e4892c667ff91fa1514c168863ad924f19e18225d93f42b19390b116bdca
 ✔ Cataloged packages              [69 packages]
 ✔ Scanned for vulnerabilities     [1 vulnerabilities]
   ├── 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found