grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

rust-crate false-positive: CVE-2017-9230

Open lclc opened this issue 2 years ago • 2 comments

What happened:

False-positive for the following rust-crate:

bitcoin 0.29.1 (current latest version) CVE-2017-9230 High

What you expected to happen:

ASIC-Boost is not a vulnerability. There is nothing to fix in rust-bitcoin. Maybe its maintainer, @apoelstra, can quickly confirm.

Environment:

  • Output of grype version: Application: grype Version: 0.48.0 Syft Version: v0.54.0 BuildDate: 2022-08-24T15:42:08Z GitCommit: e9df59b4b1bd56c370500b5072eeace3ab51f8b3 GitDescription: v0.48.0

lclc avatar Aug 26 '22 08:08 lclc

It is correct that rust-bitcoin has nothing to do with asicboost and this is not a bug in our library.

I won't comment on whether it is CVE-worthy or even "a bug" at all :).

Can you give osme context here -- did somebody flag rust-bitcoin as being affected by this CVE? I haven't gotten any notificatinos that I can see, or any chance to "appeal".

apoelstra avatar Aug 26 '22 13:08 apoelstra

It might have to do with a poorly tuned cpe generated for the below cve cpe:2.3:a:bitcoin:bitcoin:-:*:*:*:*:*:*:*

CVE-2017-9230

Rust bitcoin:

Library with support for de/serialization, parsing and executing on data-structures 
and network messages related to Bitcoin.

Vuln:

** DISPUTED ** The Bitcoin Proof-of-Work algorithm does not consider a certain attack 
methodology related to 80-byte block headers with a variety of initial 64-byte chunks followed 
by the same 16-byte chunk, multiple candidate root values ending with the same 4 bytes, 
and calculations involving sqrt numbers.

Because the rust library's name bitcoin matches the above cpe, the library probably gets lumped under the bitcoin ecosystem. This cpe matches against the broader disputed bitcoin algorithm "vulnerability". Also TIL about asicboost!

spiffcs avatar Aug 29 '22 14:08 spiffcs

Hi @lclc and @apoelstra,

As @spiffcs said above, this was caused because we were using CPEs to match packages to vulnerabilities, but CPEs don't encode ecosystem data, so similarly-named but totally unrelated packages can sometimes cause false positives.

For that reason, Grype by default now uses PURLs from GHSA to match vulnerabilities for language packages from supported ecosystems. You can read more about it here: https://anchore.com/blog/say-goodbye-to-false-positives/

I believe this issue is resolved, and sorry for the very late reply. Please let me know if I've missed something.

willmurphyscode avatar May 15 '24 11:05 willmurphyscode