Comments (5)
Creating an array of match types seems confusing, particularly in cases where things like the fix info could be different in the matched records. Doesn't the match logic first do directs, then indirect matching? That seems like a natural place to prune duplicate indirect matches since those are by definition less accurate to the package being matched (e.g. the fix version may not even be something that the actual package can be upgraded to).
I understand that there are likely some strange corner cases around multiple-fixes for the same CVE over time, but most OS vendors don't publish vuln records only for a source package if the binary packages haven't been rebuilt on that yet, so I think those kinds of cases are likely to be very rare.
from grype.
Oh, we also need to do the filtering based off of direct match prior to filtering out matches based on affected version constraint otherwise you'd end up with cases where a package may appear vulnerable to the indirect match version range but was not vulnerable to the direct match range
from grype.
Creating an array of match types seems confusing...
yeah, the JQ expression above was really a summarization of the effect. The goal isn't to create an array of match types, but to instead leverage the existing matchDetails[]
array. So for example:
[
{
"vulnerability": {
"id": "ELSA-2021-1678",
"dataSource": "https://linux.oracle.com/errata/ELSA-2021-1678.html",
"namespace": "oracle:distro:oraclelinux:8",
"severity": "Medium",
"fix": {
"versions": [
"0:1.28-419.el8"
],
"state": "fixed"
},
"advisories": []
},
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "oraclelinux",
"version": "8.3"
},
"namespace": "oracle:distro:oraclelinux:8",
"package": {
"name": "perl-Errno",
"version": "0:1.28-417.el8_3"
}
},
"found": {
"versionConstraint": "< 0:1.28-419.el8 (rpm)",
"vulnerabilityID": "ELSA-2021-1678"
}
}
],
"artifact": {
"id": "5bc7f8ad86b036d5",
"name": "perl-Errno",
"version": "0:1.28-417.el8_3",
"type": "rpm",
"purl": "pkg:rpm/ol/[email protected]_3?arch=x86_64&epoch=0&upstream=perl-5.26.3-417.el8_3.src.rpm&distro=ol-8.3",
"upstreams": [
{
"name": "perl",
"version": "5.26.3-417.el8_3"
}
]
}
},
{
"vulnerability": {
"id": "ELSA-2021-1678",
"dataSource": "https://linux.oracle.com/errata/ELSA-2021-1678.html",
"namespace": "oracle:distro:oraclelinux:8",
"severity": "Medium",
"fix": {
"versions": [
"4:5.26.3-419.el8"
],
"state": "fixed"
},
"advisories": []
},
"matchDetails": [
{
"type": "exact-indirect-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "oraclelinux",
"version": "8.3"
},
"namespace": "oracle:distro:oraclelinux:8",
"package": {
"name": "perl",
"version": "5.26.3-417.el8_3"
}
},
"found": {
"versionConstraint": "< 4:5.26.3-419.el8 (rpm)",
"vulnerabilityID": "ELSA-2021-1678"
}
}
],
"artifact": {
"id": "5bc7f8ad86b036d5",
"name": "perl-Errno",
"version": "0:1.28-417.el8_3",
"type": "rpm",
"purl": "pkg:rpm/ol/[email protected]_3?arch=x86_64&epoch=0&upstream=perl-5.26.3-417.el8_3.src.rpm&distro=ol-8.3",
"upstreams": [
{
"name": "perl",
"version": "5.26.3-417.el8_3"
}
]
}
}
]
Would be summarized to:
[
{
"vulnerability": {
"id": "ELSA-2021-1678",
"dataSource": "https://linux.oracle.com/errata/ELSA-2021-1678.html",
"namespace": "oracle:distro:oraclelinux:8",
"severity": "Medium",
"fix": {
"versions": [
"0:1.28-419.el8"
],
"state": "fixed"
},
"advisories": []
},
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "oraclelinux",
"version": "8.3"
},
"namespace": "oracle:distro:oraclelinux:8",
"package": {
"name": "perl-Errno",
"version": "0:1.28-417.el8_3"
}
},
"found": {
"versionConstraint": "< 0:1.28-419.el8 (rpm)",
"vulnerabilityID": "ELSA-2021-1678"
}
},
{
"type": "exact-indirect-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "oraclelinux",
"version": "8.3"
},
"namespace": "oracle:distro:oraclelinux:8",
"package": {
"name": "perl",
"version": "5.26.3-417.el8_3"
}
},
"found": {
"versionConstraint": "< 4:5.26.3-419.el8 (rpm)",
"vulnerabilityID": "ELSA-2021-1678"
}
}
],
"artifact": {
"id": "5bc7f8ad86b036d5",
"name": "perl-Errno",
"version": "0:1.28-417.el8_3",
"type": "rpm",
"purl": "pkg:rpm/ol/[email protected]_3?arch=x86_64&epoch=0&upstream=perl-5.26.3-417.el8_3.src.rpm&distro=ol-8.3",
"upstreams": [
{
"name": "perl",
"version": "5.26.3-417.el8_3"
}
]
}
}
]
One match with multiple match details, just as we do today.
from grype.
I'm still not sure we have a good justification for showing both indirect and direct matches for the same vulnerability in the same namespace. Is there are case where we need to do that because it helps the user make a different decision?
from grype.
When we make a match we try not to drop it unless we're sure it's wrong or the user has an ignore rule for it -- neither really apply in this case. The upside of including multiple match details is that it can be used as input into a confidence value for this merged match (not implemented yet), where the more ways we reach the same match then the more confident we are of the match as a whole.
from grype.
Related Issues (20)
- FP CVE-2024-20932 on jdk8 HOT 2
- Add `--from` flag
- Deduplicate vulnerabilities for SUSE linux
- Exit with a different return code for a failed scan HOT 2
- False positive: GHSA-v973-fxgf-6xhp (CVE-2022-40023) python3-Mako in SLES 15.5 Ecosystem
- False positive: GHSA-qwmp-2cf2-g9g6 (CVE-2022-40898) in SLES 15.5 Ecosystem
- False positive: GHSA-v3c5-jqr6-7qm8 (CVE-2022-40899) in SLES 15.5 Ecosystem
- False positive: GHSA-w596-4wvx-j9j6 (CVE-2022-42969) in SLES 15.5 Ecosystem
- Remove wordpress mentions in false positive list HOT 2
- Look at package rebuild info on advisories for indirect matches HOT 2
- False positive: GHSA-x4qr-2fvf-3mr5 (CVE-2023-0286), GHSA-jfhm-5ghh-2f97 (CVE-2023-49083) in SLES 15.5 Ecosystem but trigger by cryptography
- False positive: GHSA-xg9f-g7g7-2323 (CVE-2023-25577) python3-Werkzeug in SLES 15.5 Ecosystem HOT 1
- False positive: GHSA-m2qf-hxjv-5gpq (CVE-2023-30861) python3-Flash in SLES 15.5 Ecosystem
- Can you control the internal format used by Syft when scanning a directory? HOT 3
- grype db is not being downloaded HOT 4
- Grype appears to be writing v1.6 spec cyclonedx files that grype itself cannot read (affects 0.79.0+) HOT 5
- False positive: GHSA-v845-jxx5-vc9f (CVE-2023-43804) python3-urllib3 in SLES 15.5 Ecosystem
- Possible FP - CVE-2019-10222 ceph in ec2 linux
- False positive: GHSA-v5h6-c2hv-hv3r (CVE-2024-27280) ruby2.5-stdlib in SLES 15.5 Ecosystem
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.