False Positive CVE-2018-1000021 reported for Ubuntu's git package

[ramanNarasimhan77]

What happened:

I have an Image that uses ubuntu:focal-20230624 as base image that has Git installed via the system package manager apt-get. The installed version is 1:2.25.1-1ubuntu3.11. Grype reported that this package is affected by CVE-2018-1000021

CVE Description says: GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).

Looking at the package version 1:2.25.1-1ubuntu3.11, it can be logically concluded that Git version is 2.25.1 and hence this package should not be vulnerable to this CVE.

However, Grype's dpkg-matcher is marking it as vulnerable.

   "matchDetails": [
    {
     "type": "exact-direct-match",
     "matcher": "dpkg-matcher",
     "searchedBy": {
      "distro": {
       "type": "ubuntu",
       "version": "20.04"
      },
      "namespace": "ubuntu:distro:ubuntu:20.04",
      "package": {
       "name": "git",
       "version": "1:2.25.1-1ubuntu3.11"
      }
     },
     "found": {
      "versionConstraint": "none (deb)",
      "vulnerabilityID": "CVE-2018-1000021"
     }
    }

I'm not sure if this happened because entry for the CVE in NVD does not explicitly mention any CPEs for ubuntu's git package.

What you expected to happen:

Since the version of git used is greater than the vulnerable version, I expected that Grype would not report that my image is vulnerable to this CVE

How to reproduce it (as minimally and precisely as possible):

Scan any image built using an ubuntu base image, containing git installed using apt.

Anything else we need to know?:

Environment:

• Output of grype version:

bash-4.4# grype version
Application:          grype
Version:              0.65.0
Syft Version:         v0.86.1
BuildDate:            2023-08-01T00:36:47Z
GitCommit:            c97048baa1595a481a26f7add8b18d59ec65838a
GitDescription:       v0.65.0
Platform:             linux/amd64
GoVersion:            go1.20.1
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

bash-4.4# cat /etc/os-release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
DOCUMENTATION_URL="https://documentation.suse.com/"

[westonsteimel]

For ubuntu packages the vulnerability data for matches does not come from NVD, it comes from ubuntu, which currently has focal set to Needed on https://ubuntu.com/security/CVE-2018-1000021, which is why this is being flagged. Grype is working as expected based on the information it is getting from Canonical.

The hint for this in the match details section is the namespace: "ubuntu:distro:ubuntu:20.04"

NVD-based matches will have a namespace of nvd:cpe

[ramanNarasimhan77]

@westonsteimel Probably the page is outdated as within the container I can see git version is 2.25.1

root@07a7fdc58058:/# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

## which git is installed
root@07a7fdc58058:/# apt list --installed | grep git

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

git-man/focal-updates,focal-security,now 1:2.25.1-1ubuntu3.11 all [installed,automatic]
git/focal-updates,focal-security,now 1:2.25.1-1ubuntu3.11 amd64 [installed]
librtmp1/focal,now 2.4+20151223.gitfa8646d.1-2build1 amd64 [installed,automatic]

root@07a7fdc58058:/# git version
git version 2.25.1

[westonsteimel]

So the issue is likely git/focal-updates, as that is going to pull in updates that won't be accounted for by the official Canonical feed. This is a known current downside of static analysis based sbom and vulnerability scan tools. There currently isn't enough metadata presented by many os package managers to know which repos a specific component was installed from, and therefore it can't currently truly know whether a package should be considered by the official sources for a given distribution or something else.

Another great example is if you're running an older distro but installing packages from a newer stream, like using alpine:3.17 but installing packages from edge. Currently syft, and therefore grype, has no way of knowing which stream a single package was installed from so it will assume the distro that it found from /etc/os-release

Unfortunately I'm not sure there is much we will be able to do about this in the short term, but it is a problem the team is aware of and trying to think of a solution for.

[westonsteimel]

@ramanNarasimhan77 , thanks for surfacing this though, we'll leave it open. @willmurphyscode , I think it might make sense to add a new category of false positives to track these sorts of things so we have a good dataset to consider if and when we do figure something out here. I know we have some similar issues raised up around distroless images since it looks like Debian but some of the packages are often newer. I'll try and find those a bit later