grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

False Positives Reported for Apache Activemq-Artemis-Native

Open jeremybryan opened this issue 2 years ago • 0 comments

What happened: Apache Activemq Artemis Native (https://github.com/apache/activemq-artemis-native) is being mapped to activemq even though it's a separate project and is managed independently.

Examples: Latest activemq-artemis-native=1.0.2, but appears it is be being treated like activemq=1.0.2

org.apache.activemq:activemq-artemis-native

What you expected to happen: The ActiveMQ vulns to not be reported for the artemis-native component.

How to reproduce it (as minimally and precisely as possible):

This was used to create a minimal image containing the artemis-native jar file. echo "FROM maven:3.8.2-ibmjava-alpine\nRUN mvn dependency:get -Dartifact=org.apache.activemq:activemq-artemis-native:1.0.2" | docker build -t java-false-positives:activemq-artemis-native - && grype java-false-positives:activemq-artemis-native | egrep "activemq-artemis-native"

The below shows a segement of the debug out from the grype process: [0012] DEBUG found 15 vulnerabilities for pkg=Pkg(type=java-archive, name=activemq-artemis-native, version=1.0.2, upstreams=0) [0012] DEBUG ├── vuln="CVE-2010-0684" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2010-1244" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2011-4905" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2012-5784" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2012-6092" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2012-6551" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2013-1879" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2013-1880" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2013-3060" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2014-3576" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2015-7559" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2016-3088" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2018-11775" matchers=[java-matcher] [0012] DEBUG ├── vuln="CVE-2020-13920" matchers=[java-matcher] [0012] DEBUG └── vuln="CVE-2020-13947" matchers=[java-matcher]

To look at one specifically, CVE-2016-3088 is against Apache Activemq (cpe:2.3:a:apache:activemq::::::::).

Anything else we need to know?: If we look at the output from Syft we can see the follow in the output. Syft { "id": "63c096a170a02afe", "name": "activemq-artemis-native", "version": "1.0.2", "type": "java-archive", "foundBy": "java-cataloger", "locations": [ { "path": "/opt/activemq-artemis/lib/activemq-artemis-native-1.0.2.jar", "layerID": "sha256:4955648260bbf71e0419f024c5ca4b36c6295276a08a55b7f97f9bc678df3e39" } ], "licenses": [], "language": "java", "cpes": [ "cpe:2.3:a:apache-software-foundation:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:apache-software-foundation:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:apache_software_foundation:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:apache_software_foundation:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis-native:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis-native:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis_native:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis_native:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:apache-software-foundation:artemis-native:1.0.2:::::::", "cpe:2.3:a:apache-software-foundation:artemis_native:1.0.2:::::::", "cpe:2.3:a:apache_software_foundation:artemis-native:1.0.2:::::::", "cpe:2.3:a:apache_software_foundation:artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis-native:artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis-native:artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis_native:artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis_native:artemis_native:1.0.2:::::::", "cpe:2.3:a:artemis-native:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:artemis-native:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:artemis_native:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:artemis_native:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:apache-software-foundation:activemq:1.0.2:::::::", "cpe:2.3:a:apache_software_foundation:activemq:1.0.2:::::::", "cpe:2.3:a:activemq-artemis-native:activemq:1.0.2:::::::", "cpe:2.3:a:activemq:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis_native:activemq:1.0.2:::::::", "cpe:2.3:a:activemq-artemis:artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis:artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis:artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq_artemis:artemis_native:1.0.2:::::::", "cpe:2.3:a:artemis:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:artemis:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:apache:activemq-artemis-native:1.0.2:::::::", "cpe:2.3:a:apache:activemq_artemis_native:1.0.2:::::::", "cpe:2.3:a:artemis-native:artemis-native:1.0.2:::::::", "cpe:2.3:a:artemis-native:artemis_native:1.0.2:::::::", "cpe:2.3:a:artemis_native:artemis-native:1.0.2:::::::", "cpe:2.3:a:artemis_native:artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq-artemis:activemq:1.0.2:::::::", "cpe:2.3:a:activemq_artemis:activemq:1.0.2:::::::", "cpe:2.3:a:activemq:artemis-native:1.0.2:::::::", "cpe:2.3:a:activemq:artemis_native:1.0.2:::::::", "cpe:2.3:a:artemis-native:activemq:1.0.2:::::::", "cpe:2.3:a:artemis_native:activemq:1.0.2:::::::", "cpe:2.3:a:artemis:artemis-native:1.0.2:::::::", "cpe:2.3:a:artemis:artemis_native:1.0.2:::::::", "cpe:2.3:a:apache:artemis-native:1.0.2:::::::", "cpe:2.3:a:apache:artemis_native:1.0.2:::::::", "cpe:2.3:a:activemq:activemq:1.0.2:::::::", "cpe:2.3:a:artemis:activemq:1.0.2:::::::", "cpe:2.3:a:apache:activemq:1.0.2:::::::*" ],

From the syft output it can be seen a CPE of "cpe:2.3:a:apache:activemq:1.0.2:*:*:*:*:*:*:*" has been generated for this package. The pom.xml file for this package is <groupId>org.apache.activemq</groupId> which is the shared by a number of other activemq components.

Not entirely sure if this should be a grype or syft issue given the above.

This seems similar to #431 and #450

Environment:

Grype Version Information: Application: grype Version: 0.38.0 Syft Version: v0.46.2 BuildDate: 2022-05-23T14:41:50Z GitCommit: 06d28dad9f7e7d9aa65fc16d45c6ce785826664c GitDescription: v0.38.0 Platform: darwin/amd64 GoVersion: go1.18.2 Compiler: gc Supported DB Schema: 3

Syft Version Information: Application: syft Version: 0.46.2 JsonSchemaVersion: 3.2.3 BuildDate: 2022-05-23T14:02:40Z GitCommit: d41afe05eb8fecd2906f5db9661910dbc99fc3dd GitDescription: v0.46.2 Platform: darwin/amd64 GoVersion: go1.18.2 Compiler: gc

OS ProductName: macOS ProductVersion: 12.2 BuildVersion: 21D49

jeremybryan avatar May 25 '22 14:05 jeremybryan