fix(scan): CPE matching for OpenJDK packages #583

luhring · 2024-01-28T19:50:02Z

Syft and Grype don't seem to be handling OpenJDK properly, such that we miss valid vulnerability matches (i.e. false negatives) in our openjdk-* APKs when using Syft and Grype in wolfictl to scan the APK.

This PR implements a potentially viable workaround that lets us discover these vulnerabilities after all.

Before

$ wolfictl scan --disable-sbom-cache =(curl -sS https://packages.wolfi.dev/os/aarch64/openjdk-21-21.0.1-r0.apk)
🔎 Scanning "/tmp/zshp5wsUm"
✅ No vulnerabilities found

After

$ wolfictl scan --disable-sbom-cache =(curl -sS https://packages.wolfi.dev/os/aarch64/openjdk-21-21.0.1-r0.apk)
🔎 Scanning "/tmp/zshryD2h3"
└── 📄 /.PKGINFO
        📦 openjdk-21 21.0.1-r0 (apk)
            High CVE-2024-20918
            Medium CVE-2024-20926
            High CVE-2024-20952

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

fix(scan): CPE matching for OpenJDK packages

482ec68

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

luhring force-pushed the i-spy-openjdk branch from 49865e0 to 482ec68 Compare January 29, 2024 01:03

luhring marked this pull request as ready for review January 29, 2024 01:03

luhring requested a review from pdeslaur January 29, 2024 01:04

luhring enabled auto-merge January 29, 2024 01:07

dlorenc approved these changes Jan 29, 2024

View reviewed changes

luhring merged commit 9d776ba into wolfi-dev:main Jan 29, 2024
3 checks passed

luhring deleted the i-spy-openjdk branch January 29, 2024 02:14

luhring mentioned this pull request Jan 29, 2024

OpenJDK CPEs anchore/syft#2422

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(scan): CPE matching for OpenJDK packages #583

fix(scan): CPE matching for OpenJDK packages #583

luhring commented Jan 28, 2024

fix(scan): CPE matching for OpenJDK packages #583

fix(scan): CPE matching for OpenJDK packages #583

Conversation

luhring commented Jan 28, 2024

Before

After