Comments (7)
This is because the GitHub advisory data is currently targeting org.apache.tomcat:tomcat
which corresponds to the https://repo1.maven.org/maven2/org/apache/tomcat/tomcat/ maven artifact (a binary distribution of tomcat which isn't a jar file and syft/grype are unlikely to ever be able to surface).
I took a look at the data for CVE-2024-23672 and it appears the actual affected jars should be org.apache.tomcat:tomcat-websocket
and org.apache.tomcat.embed:tomcat-embed-websocket
. I have submitted github/advisory-database#4231 for that improvement, and if it is accepted I will take a look at the others that are currently targeting org.apache.tomcat:tomcat
from grype.
Great - I think that makes sense @westonsteimel , thanks a lot for the quick response!
from grype.
They merged it, so I've now submitted github/advisory-database#4234
Those CVE-2016 ones appear to be false positives because they are specifically an issue with how tomcat was packaged for specific distros, so we wouldn't expect it to be matched here when not using CPEs
from grype.
Nice! And I see that the second one has now been merged as well. Thanks again @westonsteimel !
from grype.
@westonsteimel - the latest vulnerability DB update now detects these Tomcat vulnerabilities!
FYI: I did have an issue with older SBOMs where these were still not being detected. This seems to have been caused by an older Syft version, where Tomcat libraries got assigned incorrect group names, e.g. org.apache.tomcat-websocket/tomcat-websocket
instead of org.apache.tomcat/tomcat-websocket
(note the extra -websocket
in the group name). The latest version of Syft does not show this behavior. I've manually patched my existing SBOMs. Thanks again!
from grype.
No worries, glad to hear it is matching now. Yeah the syft issue is because the tomcat jars don't actually have a pom file in them with the actual maven groupid and artifactid so syft attempts to guess. It is only getting a correct groupid now because of a horrible hard-coded mapping (https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/internal/cpegenerate/java_groupid_map.go#L180). We are trying to figure out a better way of handling these cases, but don't have any particularly great solutions at the moment. I believe grype supports a config option, to query a maven api by sha to get the correct groupid/artifactid and version for an artifact, but it has to make a bunch of network requests which is why it is disabled by default. I suspect it is likely we will eventually bundle the sha -> maven artifact lookup in the grype database, but that still won't help when generating an sbom with syft since it currently doesn't require a database.
Also, it is likely that more of these tomcat CVE's will come up where the GitHub data needs to be improved for matching to actually work. We are trying to address some of those, but there are ~140 of them at the moment so it will likely take awhile. If you notice any particular ones causing trouble just let us know.
Thanks!
from grype.
I'm going to go ahead and close this particular issue but feel free to submit other CVE ids when you encounter them
from grype.
Related Issues (20)
- vex documents from the --vex flag do get processed or applied to the output correctly HOT 1
- False positives when installing both libcrypto, libssl 1.1 and 3 on alpine 3.19 HOT 3
- False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem
- False Positive: GHSA-g98m-96g9-wfjq CVE-2019-3881 ruby2.5-rubygem-bundler in SUSE ecosystem
- Fails to parse go stdlib version when experiments are set HOT 5
- False positive: GHSA-jphg-qwrw-7w9g (CVE-2020-10663) in SLES 15.5
- False positives for github.com/hashicorp/consul: Installed version reported as v0.0.0 HOT 3
- Support for Fedora CoreOS 36 -> OKD/OpenShift HOT 2
- Scan Directory: Add (git) version HOT 2
- Refactor matching process to be chained processors
- False positive: GHSA-537h-rv9q-vvph (CVE-2020-13757) in SLES 15.5
- False positive: GHSA-gwfg-cqmg-cf8f (CVE-2020-25613) in SLES 15.5
- False positive: GHSA-9w8r-397f-prfh (CVE-2021-20270), GHSA-pq64-v7f5-gqh8 (CVE-2021-27291) in SLES 15.5
- Inconsistent naming of matchDetails.searchedBy.package field
- Latest database cannot be downloaded via grype db update HOT 2
- Template models use go structs instead of JSON shape
- Grype should respect `--source-name` and `--source-version` as Syft does
- grype db import fails
- Grype failed to load vulnerability database: database metadata not found
- @jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.