grype
grype copied to clipboard
anchore
PHP pecl redis mixes with redis project itself and creates false positive cve
What happened:
Scanning a PHP docker image with Redis PHP extension shows s a lot of vulnerabilities.
redis 6.0.2 php-pecl CVE-2022-24834 High
redis 6.0.2 php-pecl CVE-2022-24735 High
redis 6.0.2 php-pecl CVE-2021-41099 High
redis 6.0.2 php-pecl CVE-2021-32762 High
redis 6.0.2 php-pecl CVE-2021-32687 High
redis 6.0.2 php-pecl CVE-2021-32675 High
redis 6.0.2 php-pecl CVE-2021-32628 High
redis 6.0.2 php-pecl CVE-2021-32627 High
redis 6.0.2 php-pecl CVE-2021-32626 High
redis 6.0.2 php-pecl CVE-2023-28856 Medium
redis 6.0.2 php-pecl CVE-2023-25155 Medium
redis 6.0.2 php-pecl CVE-2022-36021 Medium
redis 6.0.2 php-pecl CVE-2022-35977 Medium
redis 6.0.2 php-pecl CVE-2022-24736 Medium
redis 6.0.2 php-pecl CVE-2021-32672 Medium
redis 6.0.2 php-pecl CVE-2021-31294 Medium
redis 6.0.2 php-pecl CVE-2023-45145 Low
redis 6.0.2 php-pecl CVE-2022-3647 Low
these CVE are associated with the redis-server, not the PHP extension.
I have no idea if this is a problem of Grype, the vulnerability database 🤔
What you expected to happen:
Don't show these records
How to reproduce it (as minimally and precisely as possible):
grype shopware/docker-base:8.3
Anything else we need to know?:
Environment:
- Output of
grype version:
Application: grype
Version: 0.75.0
BuildDate: 2024-04-04T16:02:59Z
GitCommit: 57af1c34cb7db17824eac983cc6ae6945db47c88
GitDescription: v0.75.0
Platform: linux/amd64
GoVersion: go1.21.8
Compiler: gc
Syft Version: v1.1.1
Supported DB Schema: 5
- OS (e.g:
cat /etc/os-releaseor similar):
I can confirm that I'm seeing the same issue(s) on my end using grype shinsenter/laravel:php8.1
redis 6.0.2 php-pecl CVE-2022-0543 Critical
redis 6.0.2 php-pecl CVE-2022-24834 High
redis 6.0.2 php-pecl CVE-2022-24735 High
redis 6.0.2 php-pecl CVE-2021-41099 High
redis 6.0.2 php-pecl CVE-2021-32762 High
redis 6.0.2 php-pecl CVE-2021-32687 High
redis 6.0.2 php-pecl CVE-2021-32675 High
redis 6.0.2 php-pecl CVE-2021-32628 High
redis 6.0.2 php-pecl CVE-2021-32627 High
redis 6.0.2 php-pecl CVE-2021-32626 High
redis 6.0.2 php-pecl CVE-2023-28856 Medium
redis 6.0.2 php-pecl CVE-2023-25155 Medium
redis 6.0.2 php-pecl CVE-2022-36021 Medium
redis 6.0.2 php-pecl CVE-2022-35977 Medium
redis 6.0.2 php-pecl CVE-2022-24736 Medium
redis 6.0.2 php-pecl CVE-2021-32672 Medium
redis 6.0.2 php-pecl CVE-2021-31294 Medium
redis 6.0.2 php-pecl CVE-2023-45145 Low
redis 6.0.2 php-pecl CVE-2022-3647 Low
Hi @shyim and @avtar, thanks for the reports and sorry for the delay acknowledging! We will take a look as soon as we can.
Troubleshooting note: looks like a CPE matching problem:
"language": "php",
"cpes": [
{
"cpe": "cpe:2.3:a:redis:redis:6.0.2:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:pecl/[email protected]",
"metadataType": "php-pecl-entry",
"metadata": {
"name": "redis",
"version": "6.0.2",
"license": [
"PHP"
]
}
},
A little more info here: the reason that this false positive appears is because the PHP redis extension is just called "redis" so when Syft generates a CPE based on that name, it creates an overlap with the actual Redis CPE. We can override this behavior in the defaultCandidateRemovals dictionary in https://github.com/anchore/syft/blob/273e31e8061c94742638b25ed74762dd5e74e783/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go.
We'll put this is in our backlog for a fix. There are some additional improvements that we could make here, too, including turning off CPE matching for the php-pecl cataloger and eventually rely on the PHP community security advisory system here: https://github.com/FriendsOfPHP/security-advisories
The security-advisories does not contain the PHP extensions. only composer packages :)