grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

reporting the relevant CVE number when GHSA is reported

Open wagde-orca opened this issue 4 years ago • 5 comments

What would you like to be added: when running grype sometimes we see GHSA in the results but not the CVE like: struts2-core 2.5.5 2.5.12 GHSA-9gp7-jvm2-r4mx Medium it would be nice to add to the json file the CVE id, in this case CVE-2017-7672 Why is this needed: I believe working with CVE is more natural than the GHSA several products report the vulnerabilities as CVEs, and in grype having unified representation for the vulnerabilities as CVE is better than having CVE and GHSA

Additional context:

wagde-orca avatar Nov 10 '20 18:11 wagde-orca

Hi @wagde-orca, this makes a lot of sense, and it's something we've talked about internally. We'll discuss and figure out next steps.

luhring avatar Nov 17 '20 15:11 luhring

Hi @luhring @wagoodman Any update on this?

wagde-orca avatar Dec 10 '20 13:12 wagde-orca

Hi @wagde-orca! Not yet. We'll update the issue when there's movement on this. 👍

luhring avatar Dec 10 '20 15:12 luhring

Hi there! Have there been any updates regarding this feature? Thank you!

andresmascl avatar Jun 24 '22 16:06 andresmascl

@wagde-orca is this still an issue for you? In the case you posed a CVE was eventually added to the record and I believe it is now being output in grype correctly. If this is not the case or you feel that we should make updates in the case where a CVE is not present on the GHSA let me know and we can get a patch in.

spiffcs avatar Jul 21 '22 20:07 spiffcs

As we expect to see more feeds in the future, we will have to deal with overlapping IDs from the various ecosystems. In the event there is a CVE ID it is uncontroversial to expect that should be used.

What do we do when there is no CVE ID?

For example if we look at this https://github.com/advisories/GHSA-4vmm-mhcq-4x9j

It's a critical issue in the NPM package constantinople. It has no CVE ID. It does have an NPM ID of 568 (which currently redirects to the GHSA, but you get the basic idea). In a case like this which ID should we use?

Let's imagine we have a GHSA and NPM vulnerability feed.

We could defer to the GHSA and print only that assuming the NPM ID metadata references the GHSA. We could just print both IDs and let the end user sort it out.

My suspicion is we should treat CVE and GHSA special and defer to those two identifier types if available. Otherwise just print the ecosystem identifiers and not try to de-duplicate the output.

joshbressers avatar Oct 19 '22 17:10 joshbressers