Java CVEs not detected from sparse CycloneDX SBOM

[jonmcewen]

What happened:

When using grype to check a CycloneDX SBOM not produced by syft, Java vulnerabilities were not detected.

What you expected to happen:

Vulnerabilities should be found by language when there is no CPE and no syft metadata

How to reproduce it (as minimally and precisely as possible):

Using a CycloneDX SBOM with minimal component info and known CVEs such as:

{ "name" : "log4j-core", "version" : "2.13.3", "purl" : "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar", "type" : "library", "bom-ref" : "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar" }, Running grype will not find any CVEs.

Anything else we need to know?:

Relates to https://github.com/anchore/syft/issues/953

Environment:

Output of grype version: 0.34.7 OS (e.g: cat /etc/os-release or similar): any

[jonmcewen]

SBOM to test with: running mvn package on this project will produce a cycloneDX SBOM that grype should report at least 10 vulnerabilities on

https://gitlab.com/jonmcewen1/spring-from-template

[spiffcs]

This is an excellent find @jonmcewen! Thanks for filing this issue. Because we do matching for the java ecosystem using cpe generation from syft we're showing our bias a bit with this omission. I think the best way forward here is to take your example and use the PURL string as a fallback in grype to surface CVE if no CPE information is available.

There is a good discussion around if we should mix and provide all CVE if both are provided.

Either way we've pulled this forward so that we can hit the case where PURL exists and cpe does not!

[jonmcewen]

I raised a syft PR to fix this. Seems like I forgot to link to this.

This PR: https://github.com/anchore/syft/pull/957

[spiffcs]

Yep! Just validated this today and it looks like the PR fixed the underlying issue:

Thanks again for the great contribution @jonmcewen!