grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

False positive in dotnet Akka.NET - CVE-2017-1000034

Open josetirablaz opened this issue 1 year ago • 4 comments

What happened: After scanning a .NET solution that contains the Akka package, a wrong vulnerability is reported.

Here is the report:

NAME                             INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY
Akka                             1.4.45               dotnet  CVE-2017-1000034     High

What you expected to happen: CVE-2017-1000034 for Akka JVM should not be reported for Akka.NET.

How to reproduce it (as minimally and precisely as possible):

grype petabridge/lighthouse

Anything else we need to know?: All Akka vulnerabilities from JVM version are reported as Akka.NET vulnerabilities also.

Environment:

  • Output of grype version:
Application:          grype
Version:              0.59.0
Syft Version:         v0.74.0
BuildDate:            2023-03-03T21:34:44Z
GitCommit:            5754360376ace11befb1bd9fa4b0f97d79ea2344
GitDescription:       v0.59.0
Platform:             windows/amd64
GoVersion:            go1.19.6
Compiler:             gc
Supported DB Schema:  5
  • OS (e.g: cat /etc/os-release or similar):
Windows 10 21H2 (OS Build 19044.2604)

josetirablaz avatar Mar 07 '23 13:03 josetirablaz

Hi @josetirablaz, thanks for the report. Do you happen to have a publicly available image that we can use to reproduce this? That would help us a lot. Thanks!

tgerla avatar Mar 09 '23 21:03 tgerla

Hi @tgerla

Here is an image to reproduce the false positive: Petabridge/Lighthouse on hub.docker.com

josetirablaz avatar Mar 14 '23 09:03 josetirablaz

Thanks @josetirablaz! We will take a look as soon as we can.

tgerla avatar Mar 15 '23 13:03 tgerla

Hi @josetirablaz, thanks for the issue!

To help future investigations, here's a oneliner with a digest that reproduces this positive result (some of these get hard to investigate if the image tag moves):

grype --platform linux/amd64 \
petabridge/lighthouse@sha256:be3b3df2f548cac599b253d9a8f2dc2d5089e9bea35b976ce22739eb9691d7ff | \
grep CVE-2017-1000034

Trying to understand what happens a in a bit more detail here, looking at the match details:

CVE-2017-1000034 from https://nvd.nist.gov/vuln/detail/CVE-2017-1000034 matched artifact is: Akka - pkg:nuget/[email protected] match type is cpe-match CPEs

  • cpe:2.3:a:Akka:Akka:1.5.2:*:*:*:*:*:*:* URLs:
  • https://nvd.nist.gov/vuln/detail/CVE-2017-1000034
  • http://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html

I have to agree that this is a false positive - it would be pretty surprising if there were a java serialization vulnerability in Akka.NET :)

It seems like we correctly detect that this is a nuget package, but I don't think CPEs are narrowed by language ecosystem. If Akka.NET did have a vulnerability, I don't know what the CPE would look like.

It looks like the package name for Akka.NET is indeed just akka: https://www.nuget.org/packages/Akka. As far as I can tell, the string java does not appear in any machine-readable field on https://nvd.nist.gov/vuln/detail/CVE-2017-1000034#match-3790244. https://github.com/advisories/GHSA-mm57-9j6q-rxm2 does have more detail, at least showing that it's a Maven package. Maybe matching only on the PURL would have helped here.

willmurphyscode avatar Jun 05 '23 20:06 willmurphyscode

Hi @josetirablaz,

The repro steps above no longer result in this false positive. That's because Grype, by default, uses PURLs and not CPEs to match language packages - you can read more about that at https://anchore.com/blog/say-goodbye-to-false-positives/.

I'm closing this, but please let us know if we've missed something.

willmurphyscode avatar May 15 '24 12:05 willmurphyscode