grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

False Positive for CVE-2019-3826

Open anuragagarwal561994 opened this issue 2 years ago • 0 comments

What happened: Grype results in false positive for CVE-2019-3826

What you expected to happen: No false positive for CVE-2019-3826

How to reproduce it (as minimally and precisely as possible):

  1. Create a maven project with resilience4j-prometheus:1.7.1 as dependency
  2. Containerise the application

Anything else we need to know?:

Environment:

  • Output of grype version: 0.43.0
  • OS (e.g: cat /etc/os-release or similar): Mac M1
{
   "vulnerability": {
    "id": "CVE-2019-3826",
    "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-3826",
    "namespace": "nvd:cpe",
    "severity": "Medium",
    "urls": [
     "https://github.com/prometheus/prometheus/pull/5163",
     "https://github.com/prometheus/prometheus/commit/62e591f9",
     "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826",
     "https://access.redhat.com/errata/RHBA-2019:0327",
     "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E",
     "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E",
     "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E",
     "https://advisory.checkmarx.net/advisory/CX-2019-4297"
    ],
    "description": "A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.",
    "cvss": [
     {
      "version": "2.0",
      "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
      "metrics": {
       "baseScore": 4.3,
       "exploitabilityScore": 8.6,
       "impactScore": 2.9
      },
      "vendorMetadata": {}
     },
     {
      "version": "3.0",
      "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "metrics": {
       "baseScore": 6.1,
       "exploitabilityScore": 2.8,
       "impactScore": 2.7
      },
      "vendorMetadata": {}
     }
    ],
    "fix": {
     "versions": [],
     "state": "unknown"
    },
    "advisories": []
   },
   "relatedVulnerabilities": [],
   "matchDetails": [
    {
     "type": "cpe-match",
     "matcher": "java-matcher",
     "searchedBy": {
      "namespace": "nvd:cpe",
      "cpes": [
       "cpe:2.3:a:prometheus:prometheus:1.7.0:*:*:*:*:*:*:*"
      ]
     },
     "found": {
      "versionConstraint": "< 2.7.1 (unknown)",
      "cpes": [
       "cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*"
      ]
     }
    }
   ],
   "artifact": {
    "name": "resilience4j-prometheus",
    "version": "1.7.0",
    "type": "java-archive",
    "locations": [
     {
      "path": "/app/libs/resilience4j-prometheus-1.7.0.jar",
      "layerID": "sha256:79e564ba8c4bf957e49b5da59fc1975455b66d2b4623d8ed87461c49240d41f5"
     }
    ],
    "language": "java",
    "licenses": [],
    "cpes": [
     "cpe:2.3:a:resilience4j-prometheus:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j-prometheus:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j_prometheus:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j_prometheus:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j-prometheus:resilience4j:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j_prometheus:resilience4j:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:prometheus:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:prometheus:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j-prometheus:prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j_prometheus:prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:github:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:github:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j:resilience4j:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:prometheus:resilience4j:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:resilience4j:prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:prometheus:prometheus:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:github:resilience4j:1.7.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:github:prometheus:1.7.0:*:*:*:*:*:*:*"
    ],
    "purl": "pkg:maven/io.github.resilience4j.prometheus/[email protected]",
    "upstreams": [],
    "metadataType": "JavaMetadata",
    "metadata": {
     "virtualPath": "/app/libs/resilience4j-prometheus-1.7.0.jar",
     "pomArtifactID": "",
     "pomGroupID": "",
     "manifestName": "",
     "archiveDigests": [
      {
       "algorithm": "sha1",
       "value": "53f32d840ac025a3813b7803a39829776e9b2927"
      }
     ]
    }
   }
  }

anuragagarwal561994 avatar Jul 22 '22 19:07 anuragagarwal561994