grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

CVE-2017-8806 matched to java package, also it is not related?

Open markush81 opened this issue 2 years ago • 1 comments

What happened:

https://nvd.nist.gov/vuln/detail/CVE-2017-8806

{
  "type": "cpe-match",
  "matcher": "java-matcher",
  "searchedBy": {
   "namespace": "nvd:cpe",
   "cpes": [
    "cpe:2.3:a:postgresql:postgresql:42.3.6:*:*:*:*:*:*:*"
   ]
   },
   "found": {
    "versionConstraint": "none (unknown)",
    "cpes": [
     "cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:debian:*:*"
   ]
  }
}

it matched the JAR against a CPE containing debian/ubunutu related CPE

Local grype vuln- database content

41775|CVE-2017-8806|postgresql|nvd:cpe||unknown|["cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:debian:*:*"]|||unknown|
41776|CVE-2017-8806|postgresql|nvd:cpe||unknown|["cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:ubuntu:*:*"]|||unknown|
274905|CVE-2017-8806|postgresql-common|debian:distro:debian:10|< 188|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["188"]|fixed|
297457|CVE-2017-8806|postgresql-common|debian:distro:debian:11|< 188|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["188"]|fixed|
321338|CVE-2017-8806|postgresql-common|debian:distro:debian:12|< 188|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["188"]|fixed|
349955|CVE-2017-8806|postgresql-common|debian:distro:debian:7|< 134wheezy6|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["134wheezy6"]|fixed|
369753|CVE-2017-8806|postgresql-common|debian:distro:debian:8|< 165+deb8u3|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["165+deb8u3"]|fixed|[{"id":"DSA-4029-1","link":"https://security-tracker.debian.org/tracker/DSA-4029-1"}]
389492|CVE-2017-8806|postgresql-common|debian:distro:debian:9|< 181+deb9u1|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["181+deb9u1"]|fixed|[{"id":"DSA-4029-1","link":"https://security-tracker.debian.org/tracker/DSA-4029-1"}]
416805|CVE-2017-8806|postgresql-common|debian:distro:debian:unstable|< 188|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["188"]|fixed|
1416287|CVE-2017-8806|postgresql-common|ubuntu:distro:ubuntu:14.04|< 154ubuntu1.1|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["154ubuntu1.1"]|fixed|
1443838|CVE-2017-8806|postgresql-common|ubuntu:distro:ubuntu:16.04|< 173ubuntu0.1|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["173ubuntu0.1"]|fixed|
1459189|CVE-2017-8806|postgresql-common|ubuntu:distro:ubuntu:17.04|< 179ubuntu0.1|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["179ubuntu0.1"]|fixed|
1463184|CVE-2017-8806|postgresql-common|ubuntu:distro:ubuntu:17.10|< 184ubuntu1.1|dpkg||[{"id":"CVE-2017-8806","namespace":"nvd:cpe"}]|["184ubuntu1.1"]|fixed|

What you expected to happen:

No match

How to reproduce it (as minimally and precisely as possible):

Run grype against an image containing https://search.maven.org/artifact/org.postgresql/postgresql/42.3.6/jar

Anything else we need to know?:

Environment:

  • Output of grype version:
Application:          grype
Version:              0.46.0
Syft Version:         v0.53.4
BuildDate:            2022-08-04T14:48:21Z
GitCommit:            c755c7304f4b2758ef37ce43480d2bd6826972af
GitDescription:       v0.46.0
Platform:             darwin/arm64
GoVersion:            go1.18.4
Compiler:             gc
Supported DB Schema:  4
  • OS (e.g: cat /etc/os-release or similar):
PRETTY_NAME="Distroless"
NAME="Debian GNU/Linux"
ID="debian"
VERSION_ID="11"
VERSION="Debian GNU/Linux 11 (bullseye)"
HOME_URL="https://github.com/GoogleContainerTools/distroless"
SUPPORT_URL="https://github.com/GoogleContainerTools/distroless/blob/master/README.md"
BUG_REPORT_URL="https://github.com/GoogleContainerTools/distroless/issues/new"

markush81 avatar Aug 08 '22 14:08 markush81

Thanks for the report! We'll be looking to improve this type of false positive soon.

kzantow avatar Aug 10 '22 12:08 kzantow

We encountered the same issue on the following environment What happened: In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives. What you expected to happen: We expected Grype not to report on these CVEs. How to reproduce it (as minimally and precisely as possible): Install the Docker Images (from the links below) and execute Grype using the following command: grype <container_name> —-output json > <output_file_path>

  • Output of grype version: Application: grype Version: 0.41.0 Syft Version: v0.50.0 BuildDate: 2022-07-06T15:20:18Z GitCommit: 0e0a9d9e7a28592db489499db0294608e5fe69b8 GitDescription: v0.41.0 Platform: linux/amd64 GoVersion: go1.18.3 Compiler: gc Supported DB Schema: 4

Sonarqube

  • Container Details: https://hub.docker.com/layers/library/sonarqube/9.5.0-community/images/sha256-2f102e5b91abb39db22da3d2efca1eaccdd919923355b6e42edc3c522e3aa235?context=explore

  • OS (e.g: cat /etc/os-release): NAME="Alpine Linux" ID=alpine VERSION_ID=3.14.6 PRETTY_NAME="Alpine Linux v3.14" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"

  • CVEs CVE-2017-8806 Grype wrongly identified CVE-2017-8806 as vulnerable. The path it identified is: /opt/sonarqube/lib/jdbc/postgresql/postgresql-42.3.3.jar The postgresql version is 42.3.3. Affected versions according to nvd are only these templates: cpe:2.3:a:postgresql:postgresql:-:::::debian:: cpe:2.3:a:postgresql:postgresql:-:::::ubuntu:: According to nvd and snyk the vulnerability is related only for Ubuntu and Debian distributions.

OfriOuzan avatar Oct 02 '22 13:10 OfriOuzan

Hi @markush81 and @OfriOuzan, thanks for reporting this issue!

Confirming that I still see the issue:

wget https://repo1.maven.org/maven2/org/postgresql/postgresql/42.3.6/postgresql-42.3.6.jar
grype postgresql-42.3.6.jar| grep CVE-2017-8806

still prints the issue.

Here's a formatted view of the match details:

CVE-2017-8806 from https://nvd.nist.gov/vuln/detail/CVE-2017-8806 matched artifact is: postgresql - pkg:maven/org.postgresql.jdbc/[email protected] match type is cpe-match, cpe-match CPEs

  • cpe:2.3:a:postgresql-global-development-group:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql_global_development_group:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql-global-development-group:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql_global_development_group:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql-global-development-group:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql-global-development-group:osgi:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql_global_development_group:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql_global_development_group:osgi:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle-corporation:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle_corporation:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:PGBundleActivator:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle-corporation:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle_corporation:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:PGBundleActivator:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle-corporation:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle-corporation:osgi:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle_corporation:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle_corporation:osgi:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:PGBundleActivator:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:PGBundleActivator:osgi:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:jdbc:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:osgi:PGBundleActivator:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:jdbc:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:osgi:postgresql:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:osgi:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:jdbc:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:jdbc:osgi:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:osgi:jdbc:42.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:osgi:osgi:42.3.6:*:*:*:*:*:*:*

URLs:

  • https://nvd.nist.gov/vuln/detail/CVE-2017-8806
  • http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog
  • http://www.securityfocus.com/bid/101810
  • https://usn.ubuntu.com/usn/usn-3476-1/
  • https://www.debian.org/security/2017/dsa-4029

It looks like cpe:2.3:a:postgresql:postgresql:42.3.6:*:*:*:*:*:*:* matches a CPE on https://nvd.nist.gov/vuln/detail/CVE-2017-8806, but is overly broad, since the vulnerability is against scripts bundled with distributions of the postresql server, and shouldn't be reported against a jar file that provides a client for that server. I'm applying a label indicating that this is likely a false positive due to overly broad CPE matching in the hopes that we can fix this class of issue in the future.

willmurphyscode avatar Jun 09 '23 20:06 willmurphyscode

Hello, after upgrading to the latest Grype I can confirm that this false positive is no longer reported. Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details.

tgerla avatar Nov 17 '23 14:11 tgerla