grype
grype copied to clipboard
anchore
vex documents from the --vex flag do get processed or applied to the output correctly
What happened:
When following the example here using the vex document specified, the vulnerability is rendered in the outputted report. This happens in any format.
vex.json
{
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-d4e9020b6d0d26f131d535e055902dd6ccf3e2088bce3079a8cd3588a4b14c78",
"author": "A Grype User <[email protected]>",
"timestamp": "2023-07-17T18:28:47.696004345-06:00",
"version": 1,
"statements": [
{
"vulnerability": {
"name": "CVE-2023-1255"
},
"products": [
{
"@id": "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
"subcomponents": [
{ "@id": "pkg:apk/alpine/[email protected]" },
{ "@id": "pkg:apk/alpine/[email protected]" }
]
}
],
"status": "fixed"
}
]
}
command
docker run -it -v $PWD/vex.json:/vex.json anchore/grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --vex /vex.json
✔ Vulnerability DB [updated]
✔ Parsed image sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
✔ Cataloged contents b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
├── ✔ Packages [15 packages]
├── ✔ File digests [78 files]
├── ✔ File metadata [78 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [22 vulnerability matches]
├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
└── by status: 22 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
...
libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
...
vexctl filter works
1
What you expected to happen:
I do not expect the vulnerability to be reported. Maybe I am missing something here?
How to reproduce it (as minimally and precisely as possible): see above Anything else we need to know?:
Environment:
- Output of
grype version: 0.77.1 - OS (e.g:
cat /etc/os-releaseor similar): mac/linux - tested both
Hi @willejs, thank you for the report, we've reproduced this issue on the latest Grype, 0.77.2:
Without vex (CVE-2023-1255 shows up):
tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
✔ Vulnerability DB [no update available]
✔ Parsed image sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
✔ Cataloged contents b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
├── ✔ Packages [15 packages]
├── ✔ File digests [78 files]
├── ✔ File metadata [78 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [22 vulnerability matches]
├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
└── by status: 22 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libcrypto3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libcrypto3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libcrypto3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libcrypto3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libcrypto3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libcrypto3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libcrypto3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libcrypto3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libcrypto3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
libssl3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libssl3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libssl3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libssl3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libssl3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libssl3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libssl3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libssl3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libssl3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libssl3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libssl3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
With vex (CVE-2023-1255 shows up):
tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
--vex vex.json
✔ Vulnerability DB [no update available]
✔ Parsed image sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
✔ Cataloged contents b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
├── ✔ Packages [15 packages]
├── ✔ File digests [78 files]
├── ✔ File metadata [78 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [22 vulnerability matches]
├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
└── by status: 22 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libcrypto3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libcrypto3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libcrypto3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libcrypto3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libcrypto3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libcrypto3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libcrypto3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libcrypto3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libcrypto3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libcrypto3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
libssl3 3.0.8-r3 3.0.12-r0 apk CVE-2023-5363 High
libssl3 3.0.8-r3 3.0.12-r4 apk CVE-2024-0727 Medium
libssl3 3.0.8-r3 3.0.12-r2 apk CVE-2023-6129 Medium
libssl3 3.0.8-r3 3.0.12-r1 apk CVE-2023-5678 Medium
libssl3 3.0.8-r3 3.0.10-r0 apk CVE-2023-3817 Medium
libssl3 3.0.8-r3 3.0.9-r3 apk CVE-2023-3446 Medium
libssl3 3.0.8-r3 3.0.9-r2 apk CVE-2023-2975 Medium
libssl3 3.0.8-r3 3.0.9-r0 apk CVE-2023-2650 Medium
libssl3 3.0.8-r3 3.0.8-r4 apk CVE-2023-1255 Medium
libssl3 3.0.8-r3 3.0.12-r5 apk CVE-2024-2511 Unknown
libssl3 3.0.8-r3 3.0.12-r3 apk CVE-2023-6237 Unknown
tgerla@Timothys-MacBook-Pro-2 grype-1836 %
On Grype 0.74.7, the CVE was filtered out as expected. We will take a look and see where the regression occurred. Thanks again!
I'm trying to use the VEX feature and it's not working even with version 0.74.7 and 0.74.3...
Never mind, it seems that the issue I'm having is due to a matching issue. I'll work on a fix and submit a PR soon.
@tgerla thanks for investigating this and the swift reply! We are contemplating fixing this, but we were made aware of some other bugs around the format of the PURL, and also there are a couple of big PRs with large refactors waiting to be merged over here changing the implementation of vex support. Is there some wider context we are missing here and have you guys got some plans to overhaul the vex implimentation/support? If so we will hold off for a bit!
We were looking at a commercial offering, but we have fallen at the first hurdle with vex support...
I was investigating why Grype stopped processing VEX documents generated by Kubescape. It boiled down to this line of code: https://github.com/anchore/grype/blob/368fd73fc238492ecfe17eaee3b491cd89faf88c/grype/vex/openvex/implementation.go#L166 Based on my investigation, there are two problems here.
- Matcher uses
index.docker.ioas the registry name and the VEX document containsdocker.iofor the same field, therefore the comparison fails. - The second problem is Kubescape uses standard URL encoding protocol in the pURL where according the the RFC one should encode the special characters in the query parameter contents. I suggest that either Grype or go-vex do a URL decode operation.
