grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

Related CVE missing from report even though its in the DB

Open Tehsmash opened this issue 1 year ago • 2 comments

What happened:

Grype detected a vulnerability from Amazon, ALAS-2023-2203, it has a known CVE ID:

image

However it is missing from the report's relatedVulnerabilities:

{
   "vulnerability": {
    "id": "ALAS-2023-2203",
    "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2023-2203.html",
    "namespace": "amazon:distro:amazonlinux:2",
    "severity": "High",
    "urls": [
     "https://alas.aws.amazon.com/AL2/ALAS-2023-2203.html"
    ],
    "cvss": [],
    "fix": {
     "versions": [
      "2021.2.50-72.amzn2.0.7"
     ],
     "state": "fixed"
    },
    "advisories": []
   },
   "relatedVulnerabilities": [],
...

This also happened with a Github issue GHSA-c6qg-cjj8-47qp.

What you expected to happen:

I expected a relatedVulnerability to be present, similar to other Amazon/Github findings which have CVEs:

  {
   "vulnerability": {
    "id": "ALAS-2023-1972",
    "dataSource": "https://alas.aws.amazon.com/AL2/ALAS-2023-1972.html",
    "namespace": "amazon:distro:amazonlinux:2",
    "severity": "Medium",
    "urls": [
     "https://alas.aws.amazon.com/AL2/ALAS-2023-1972.html"
    ],
    "cvss": [],
    "fix": {
     "versions": [
      "2.12-11.amzn2"
     ],
     "state": "fixed"
    },
    "advisories": []
   },
   "relatedVulnerabilities": [
    {
     "id": "CVE-2021-38185",
     "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-38185",
     "namespace": "nvd:cpe",
     "severity": "High",
...

How to reproduce it (as minimally and precisely as possible):

For the Amazon issue:

grype --add-cpes-if-none --output json "public.ecr.aws/eks/amazon-k8s-cni@sha256:19dacc4b46485c85ddfbee3545d34948bad08ce318c0fa997541546786aa7bc4"

For the Github issue:

grype --add-cpes-if-none --output json ghcr.io/open-telemetry/demo:1.4.0-emailservice

Anything else we need to know?:

Initially I wondered if this was an issue related to parsing the Amazon/Github vulnerability feed, but debugging in vunnel and grype-db I found that the correct information is discovered in vunnel and makes it way through into the DB:

$ sqlite3 build/vulnerability.db
sqlite> select * from vulnerability where id = 'ALAS-2023-2203';
pk     id              package_name     namespace                    package_qualifiers  version_constraint        version_format  cpes  related_vulnerabilities                          fixed_in_versions           fix_state  advisories
-----  --------------  ---------------  ---------------------------  ------------------  ------------------------  --------------  ----  -----------------------------------------------  --------------------------  ---------  ----------
11471  ALAS-2023-2203  ca-certificates  amazon:distro:amazonlinux:2                      < 2021.2.50-72.amzn2.0.7  rpm                   [{"id":"CVE-2023-32803","namespace":"nvd:cpe"}]  ["2021.2.50-72.amzn2.0.7"]  fixed

Walking through all the places in the grype code which process the RelatedVulnerabilities I was able to narrow the cause down to this piece of code here: https://github.com/anchore/grype/blob/main/grype/presenter/models/match.go#L30-L38

Based on my understand this means that unless a related vulnerability is somewhere in the Grype DB it gets excluded from the presentation layer and not even the ID is output for reference.

The question then became why isn't the CVE ID in the Grype DB, in these cases it turns out that the CVE ID is reserved in the CVE Dictionary: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32803 but it not in NVD yet: https://nvd.nist.gov/vuln/detail/CVE-2023-32803.

This can also occur when using Grype with a custom DB that doesn't include the NVD provider, in this case no related CVE appear in the output report which is quite unexpected.

It seems like perhaps Grype should be outputting at minimum the related CVE ID even if further information isn't available in the Grype DB to ensure that this information can be used as a reference (in particular this affects when --by-cve is used). This would prevent confusion when looking at the upstream source and seeing that it has a related CVE but its not showing up in Grype.

Environment:

  • Output of grype version:
$ ./grype version
Application:          grype
Version:              0.65.2
Syft Version:         v0.87.1
BuildDate:            2023-08-17T20:03:30Z
GitCommit:            51223cd0b1069c7c7bbc27af1deec3e96ad3e07d
GitDescription:       v0.65.2
Platform:             darwin/amd64
GoVersion:            go1.19.12
Compiler:             gc
Supported DB Schema:  5
  • OS (e.g: cat /etc/os-release or similar): MacOS Ventura 13.5

Tehsmash avatar Aug 21 '23 13:08 Tehsmash

Hi @Tehsmash, thanks for the detailed analysis here. We'll take a look and figure out the best way forward here.

tgerla avatar Aug 24 '23 20:08 tgerla

dev note: we should probably add these NVD records in the DB with an ID, namespace, and dataSource and no other metadata.

wagoodman avatar Aug 24 '23 20:08 wagoodman