syft
syft copied to clipboard
anchore
Wrong CPE for dnsmasq
What happened: syft+grype do not detect a vulnerable version of dnsmasq on an OpenWRT device.
What you expected to happen:
One of the reason could be that syft builds the wrong CPE: a:dnsmasq:dnsmasq:2.86-17 instead of a:thekelleys:dnsmasq:2.86 (NVD search)
Steps to reproduce the issue: Let's try to reproduce partialy on a alpine container:
cat << EOF > Dockerfile
FROM alpine:3.16
RUN apk add dnsmasq
EOF
docker build -t dnsmasqalpine .
$ /opt/syft -q scan docker:dnsmasqalpine -o json= | jq '.artifacts[] | select(.name=="dnsmasq") | .cpes'
[
"cpe:2.3:a:dnsmasq:dnsmasq:2.86-r4:*:*:*:*:*:*:*"
]
The vendor part is not the expected one. Maybe that comes from the incomplete metadata:
$ /opt/syft -q scan docker:dnsmasqalpine -o json= | jq '.artifacts[] | select(.name=="dnsmasq") | .metadata'
{
"package": "dnsmasq",
"originPackage": "dnsmasq",
"maintainer": "Natanael Copa <[email protected]>",
"version": "2.86-r4",
"architecture": "x86_64",
"url": "https://www.thekelleys.org.uk/dnsmasq/",
"description": "A lightweight DNS, DHCP, RA, TFTP and PXE server",
...
Anything else we need to know?: In this particular case of alpine, the identification is OK and the syft+grype tandem gives expected result thanks to the correct info in the database:
| pk | id | package_name | namespace | version_constraint | version_format | cpes | related_vulnerabilities | fixed_in_versions | fix_state |
|---|---|---|---|---|---|---|---|---|---|
| 318326 | CVE-2022-0934 | dnsmasq | alpine:distro:alpine:3.16 | < 2.86-r1 | apk | [{"id":"CVE-2022-0934","namespace":"nvd:cpe"}] | ["2.86-r1"] | fixed | |
| 319506 | CVE-2023-28450 | dnsmasq | alpine:distro:alpine:3.16 | < 2.86-r4 | apk | [{"id":"CVE-2023-28450","namespace":"nvd:cpe"}] | ["2.86-r4"] | fixed |
However on the tested Openwrt device and without any specific namespace there is no match with grype database though some entries are present with the right CPE:
| pk | id | package_name | namespace | version_constraint | version_format | cpes | related_vulnerabilities | fixed_in_versions | fix_state |
|---|---|---|---|---|---|---|---|---|---|
| 237101 | CVE-2021-45951 | dnsmasq | nvd:cpe | = 2.86 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] |
unknown | ||
| 237102 | CVE-2021-45952 | dnsmasq | nvd:cpe | = 2.86 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] |
unknown | ||
| 237103 | CVE-2021-45953 | dnsmasq | nvd:cpe | = 2.86 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] |
unknown | ||
| 237104 | CVE-2021-45954 | dnsmasq | nvd:cpe | = 2.86 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] |
unknown | ||
| 237105 | CVE-2021-45955 | dnsmasq | nvd:cpe | = 2.86 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] |
unknown | ||
| 237106 | CVE-2021-45956 | dnsmasq | nvd:cpe | = 2.86 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] |
unknown | ||
| 237107 | CVE-2021-45957 | dnsmasq | nvd:cpe | = 2.86 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:2.86:*:*:*:*:*:*:*"] |
unknown | ||
| 238726 | CVE-2022-0934 | dnsmasq | nvd:cpe | < 2.87 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*"] |
unknown | ||
| 271623 | CVE-2023-28450 | dnsmasq | nvd:cpe | < 2.90 | unknown | ["cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*"] |
unknown |
Trying to reproduce with an openwrt container:
- Fetch the image
docker import http://downloads.openwrt.org/attitude_adjustment/12.09/x86/generic/openwrt-x86-generic-rootfs.tar.gz openwrt-x86-generic-rootfs
- List the CPE
$ /opt/syft -q scan docker:openwrt-x86-generic-rootfs -o json= | jq '.artifacts[] | select(.name=="dnsmasq") | .cpes'
[
"cpe:2.3:a:dnsmasq:dnsmasq:2.62-2:*:*:*:*:*:*:*"
]
[
"cpe:2.3:a:dnsmasq:dnsmasq:2.62-2:*:*:*:*:*:*:*"
]
- no CVE found for dnsmasq
$ /opt/syft -q scan docker:openwrt-x86-generic-rootfs -o json= | /opt/grype sbom:-
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto1.1 1.1.1w-r1 apk CVE-2024-0727 Medium
libssl1.1 1.1.1w-r1 apk CVE-2024-0727 Medium
Expecting CVE-2022-0934 and CVE-2023-28450 that are in grype DB
I've done a little bit of research about this, and added a draft PR that updates the CPE to include the right vendor for apk and dpkg. HOWEVER, there's still another issue that prevents any vulnerabilities from showing up for the openwrt dnsmasq: this is identified as a Debian package, so Grype only uses Debian matchers. We will hopefully be able to identify these as not official Debian packages (see: https://github.com/anchore/syft/issues/2657) which should fix the issue there. The change does work for the alpine docker image.
