grype
grype copied to clipboard
Published
20 hours ago •
anchore
anchore
@jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22
What happened:
Our pipeline recently broke due to critical finding of GHSA-8rmg-jf7p-4p22
[root@d992b56c077e /]# grype --version
grype 0.77.4
[root@d992b56c077e /]# grype bom.json
✔ Vulnerability DB [no update available]
✔ Scanned for vulnerabilities [1 vulnerability matches]
├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 1 not-fixed, 0 ignored
[0000] ERROR failed to fetch latest version: Get "https://toolbox-data.anchore.io/grype/releases/latest/VERSION": tls: failed to verify certificate: x509: certificate has exp
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
gen-mapping 0.3.5 npm GHSA-8rmg-jf7p-4p22 Critical
What you expected to happen:
The malicious package is: https://www.npmjs.com/package/gen-mapping which is a typesquatting attempt which got cought and squashed. The package in actual usage is: @jridgewell/gen-mapping. Which IMHO is also correctly stated in the provided BOM:
{
"type": "library",
"name": "gen-mapping",
"group": "@jridgewell",
"version": "0.3.5",
"bom-ref": "@jridgewell/[email protected]",
"purl": "pkg:npm/%40jridgewell/[email protected]",
...
}
How to reproduce it (as minimally and precisely as possible):
package.json
{
"name": "gen-mapping-test",
"version": "1.0.0",
"dependencies": {
"@babel/core": "7.22.10"
},
"scripts": {},
"author": "",
"license": "ISC"
}
npm install
npx -y @cyclonedx/cyclonedx-npm --omit dev --output-reproducible --output-file bom.json --package-lock-only
npx -y @cyclonedx/cyclonedx-npm --omit dev --short-PURLs --output-reproducible --output-file bom-short.json --package-lock-only
grype bom.json
grype bom-short.json
Anything else we need to know?:
I attached example boms, which trigger the issue.
Environment:
- Output of
grype version: - OS (e.g:
cat /etc/os-releaseor similar):
