False negatives: Apache Tomcat vulnerabilities (e.g., CVE-2024-23673) not detected about grype HOT 7 CLOSED

This is because the GitHub advisory data is currently targeting org.apache.tomcat:tomcat which corresponds to the https://repo1.maven.org/maven2/org/apache/tomcat/tomcat/ maven artifact (a binary distribution of tomcat which isn't a jar file and syft/grype are unlikely to ever be able to surface).

I took a look at the data for CVE-2024-23672 and it appears the actual affected jars should be org.apache.tomcat:tomcat-websocket and org.apache.tomcat.embed:tomcat-embed-websocket. I have submitted github/advisory-database#4231 for that improvement, and if it is accepted I will take a look at the others that are currently targeting org.apache.tomcat:tomcat

from grype.

Great - I think that makes sense @westonsteimel , thanks a lot for the quick response!

from grype.

They merged it, so I've now submitted github/advisory-database#4234

Those CVE-2016 ones appear to be false positives because they are specifically an issue with how tomcat was packaged for specific distros, so we wouldn't expect it to be matched here when not using CPEs

from grype.

Nice! And I see that the second one has now been merged as well. Thanks again @westonsteimel !

from grype.

@westonsteimel - the latest vulnerability DB update now detects these Tomcat vulnerabilities!

FYI: I did have an issue with older SBOMs where these were still not being detected. This seems to have been caused by an older Syft version, where Tomcat libraries got assigned incorrect group names, e.g. org.apache.tomcat-websocket/tomcat-websocket instead of org.apache.tomcat/tomcat-websocket (note the extra -websocket in the group name). The latest version of Syft does not show this behavior. I've manually patched my existing SBOMs. Thanks again!

from grype.

No worries, glad to hear it is matching now. Yeah the syft issue is because the tomcat jars don't actually have a pom file in them with the actual maven groupid and artifactid so syft attempts to guess. It is only getting a correct groupid now because of a horrible hard-coded mapping (https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/internal/cpegenerate/java_groupid_map.go#L180). We are trying to figure out a better way of handling these cases, but don't have any particularly great solutions at the moment. I believe grype supports a config option, to query a maven api by sha to get the correct groupid/artifactid and version for an artifact, but it has to make a bunch of network requests which is why it is disabled by default. I suspect it is likely we will eventually bundle the sha -> maven artifact lookup in the grype database, but that still won't help when generating an sbom with syft since it currently doesn't require a database.

Also, it is likely that more of these tomcat CVE's will come up where the GitHub data needs to be improved for matching to actually work. We are trying to address some of those, but there are ~140 of them at the moment so it will likely take awhile. If you notice any particular ones causing trouble just let us know.

Thanks!

from grype.

I'm going to go ahead and close this particular issue but feel free to submit other CVE ids when you encounter them

from grype.