grype
grype copied to clipboard
anchore
Cyclonedx xml report does not include vectors
What happened: When comparing cyclonedx report and Syft JSON report generated with grype, cyclonedx report doesn't seem to have vector information.
Snippet from cyclonedx report:
<component type="library">
<name>zlib1g</name>
<version>1:1.2.11.dfsg-1</version>
<licenses>
<license>
<name>Zlib</name>
</license>
</licenses>
<v:vulnerabilities>
<v:vulnerability ref="urn:uuid:7ae47774-4f5e-4090-bb15-d67426274417">
<v:id>CVE-2018-25032</v:id>
<v:source name="debian:10">
<v:url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032</v:url>
</v:source>
<v:ratings>
<v:rating>
<v:severity>High</v:severity>
</v:rating>
</v:ratings>
<v:advisories>
<v:advisory>https://security-tracker.debian.org/tracker/CVE-2018-25032</v:advisory>
</v:advisories>
</v:vulnerability>
</v:vulnerabilities>
</component>
Snippet from syft JSON report:
{
"vulnerability": {
"id": "CVE-2018-25032",
"dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-25032",
"namespace": "debian:10",
"severity": "High",
"urls": [
"https://security-tracker.debian.org/tracker/CVE-2018-25032"
],
"cvss": [],
"fix": {
"versions": [
"1:1.2.11.dfsg-1+deb10u1"
],
"state": "fixed"
},
"advisories": [
{
"id": "DSA-5111-1",
"link": "https://security-tracker.debian.org/tracker/DSA-5111-1"
}
]
},
"relatedVulnerabilities": [
{
"id": "CVE-2018-25032",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032",
"namespace": "nvd",
"severity": "High",
"urls": [
"https://www.openwall.com/lists/oss-security/2022/03/24/1",
"https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531",
"http://www.openwall.com/lists/oss-security/2022/03/25/2",
"http://www.openwall.com/lists/oss-security/2022/03/26/1",
"https://www.openwall.com/lists/oss-security/2022/03/28/1",
"https://github.com/madler/zlib/compare/v1.2.11...v1.2.12",
"https://www.openwall.com/lists/oss-security/2022/03/28/3",
"https://github.com/madler/zlib/issues/605",
"https://www.debian.org/security/2022/dsa-5111",
"https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html"
],
"description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"cvss": [
{
"version": "2.0",
"vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"metrics": {
"baseScore": 5,
"exploitabilityScore": 10,
"impactScore": 2.9
},
"vendorMetadata": {}
},
{
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 7.5,
"exploitabilityScore": 3.9,
"impactScore": 3.6
},
"vendorMetadata": {}
}
]
}
],
"matchDetails": [
{
"type": "exact-indirect-match",
"matcher": "dpkg-matcher",
"searchedBy": {
"distro": {
"type": "debian",
"version": "10"
},
"namespace": "debian:10",
"package": {
"name": "zlib",
"version": "1:1.2.11.dfsg-1"
}
},
"found": {
"versionConstraint": "< 1:1.2.11.dfsg-1+deb10u1 (deb)"
}
}
],
"artifact": {
"name": "zlib1g",
"version": "1:1.2.11.dfsg-1",
"type": "deb",
"locations": [
{
"path": "/var/lib/dpkg/status",
"layerID": "sha256:82068c842707f3491e7398973688d8abd66f1494f00e646d801be1545c539f1c"
},
{
"path": "/var/lib/dpkg/info/zlib1g:amd64.md5sums",
"layerID": "sha256:c2adabaecedbda0af72b153c6499a0555f3a769d52370469d8f6bd6328af9b13"
},
{
"path": "/usr/share/doc/zlib1g/copyright",
"layerID": "sha256:c2adabaecedbda0af72b153c6499a0555f3a769d52370469d8f6bd6328af9b13"
}
],
"language": "",
"licenses": [
"Zlib"
],
"cpes": [
"cpe:2.3:a:zlib1g:zlib1g:1:1.2.11.dfsg-1:*:*:*:*:*:*:*"
],
"purl": "pkg:deb/debian/zlib1g@1:1.2.11.dfsg-1?arch=amd64&upstream=zlib&distro=debian-10",
"upstreams": [
{
"name": "zlib"
}
]
}
}
What you expected to happen: Expected both to have similar vulnerability information, including vectors
How to reproduce it (as minimally and precisely as possible):
grype nginx:1.16 -o json > nginx-1_16.json
grype nginx:1.16 -o cyclonedx > nginx-1_16.xml
In both reports, look for vulnerability with CVE-2018-25032.
Compare the contents in both reports.
Anything else we need to know?:
Environment:
- Output of
grype version:
Application: grype
Version: 0.34.7
Syft Version: v0.42.4
BuildDate: 2022-03-24T19:36:25Z
GitCommit: 44e676488efe4ab4fd63438bbce539777a2b8922
GitDescription: v0.34.7
Platform: darwin/amd64
GoVersion: go1.18
Compiler: gc
Supported DB Schema: 3
- OS (e.g:
cat /etc/os-releaseor similar):
ProductName: macOS
ProductVersion: 11.4
@Pivotal-Jeff-Jun thanks for filing the issue - the first spot that stands out to include this is as part of the properties section for vulnerabilities
https://cyclonedx.org/docs/1.4/json/#vulnerabilities_items_properties
Have you seen other places or discussions about where the vector information should live besides what I included above?
Thanks again for filing the issue since we want our cyclonedx output to be as accurate as possible
The ratings structures has fields for score and vector https://cyclonedx.org/docs/1.4/json/#vulnerabilities_items_ratings . If memory serves those fields do get populated in the cyclonedx presenter based on vulnerability.cvss, but maybe not for relatedVulnerabilities.cvss ?
Looks like since we've upgraded our library to include cylconedx 1.4 there is now a place for us to put the vector information under the ratings. If a vulnerability comes from the NVD dataset we should be loading it's vectors under ratings.vector look for this enhancement soon in a future grype release:
Former
{
"severity": "low"
}
Later
{
"severity": "log",
"vector": "<VECTOR_STRING>"
}