False positive: CVE-2021-40438 - specific centos package version not taken into account

[edhinard]

What happened: Grype to detect CVE-2021-40438 on "purl": "pkg:rpm/centos/[email protected]?arch=x86_64&upstream=httpd-2.4.6-97.el7.centos.5.src.rpm&distro=centos-7" with rule: pk=741692 version_constraint="< 0:2.4.6-97.el7_9.1"

What you expected to happen: According to the package changelog, CVE-2021-40438 is fixed.

2.4.6-97.el7.centos.5 should not match < 0:2.4.6-97.el7_9.1

How to reproduce it: Build a container with the package, scan with Syft and run Grype:

cat << EOF > Dockerfile
FROM centos:centos7
RUN yum install -y https://rpmfind.net/linux/centos/7.9.2009/updates/x86_64/Packages/httpd-2.4.6-97.el7.centos.5.x86_64.rpm
EOF
docker build . -t mycentos
/opt/syft scan mycentos --select-catalogers rpm -o json=mycentos.syft.json
/opt/grype sbom:mycentos.syft.json --only-fixed | grep httpd

Anything else we need to know?:

• Syft package and version detection is OK
• Other CVE raised by Grype using a similar rule not taking into account Centos package naming : CVE-2023-25690, CVE-2022-22720, CVE-2021-44790, CVE-2021-39275, CVE-2021-34798, CVE-2021-26691

Environment:

• version 0.74.4
• database 2024-02-05 01:25:27 +0000 UTC
• OS Ubuntu 20.04.6 LTS

[tgerla]

Hi @edhinard, thanks for the report. We need to do some more investigation here. Please stay tuned and we'll get in touch if we need any more info. We think this might be due to differences between Red Hat and CentOS's versioning scheme, which have at some point diverged.

In the meantime you could use Grype's configuration file to ignore this particular false positive: https://github.com/anchore/grype/?tab=readme-ov-file#specifying-matches-to-ignore

Thanks again!