False negatives when scanning debian trixie/sid images from Dockerhub

[dlorenc]

What happened:

I scanned the r-base:latest image with grype (digest sha256:37729a5d96546ca5067552c5eaeb44e18cee2c07b4f242b5bafb83ff06539d52) and noticed it had 0 CVEs. I checked it with Snyk and Docker scout, and they did find CVEs, so I dug in a bit. There appears to be a distro-matching issue with Debian 13/testing/sid in Grype.

I tested this with the debian:testing image as well, and it also reproduces.

I think this is because these images don't have a VERSION_ID field in the /etc/os-release file, but that's just a guess.

% grype r-base:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                                                                                                                 r-base:latest
 ✔ Parsed image                                                                                                                                                                       sha256:946bef997180497fd51e50cafdf7518b14f68b0871515e704d47a4dba63eb700
 ✔ Cataloged packages              [299 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found
0.65.2

 % grype debian:testing
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                                                                                                                debian:testing
 ✔ Parsed image                                                                                                                                                                       sha256:3775cd2ccc6ee2418a834e41c7ee11fa479b3668c81f3b652922045e2d812b3c
 ✔ Cataloged packages              [86 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found
0.65.2

% docker run -it debian:testing cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux trixie/sid"
NAME="Debian GNU/Linux"
VERSION_CODENAME=trixie
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

% docker run -it debian:stable cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

@luhring checked the Grype DB and found that there are vulnerability entries for Debian 13, but for some reason these images aren't matching against it.

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

grype r-base-latest

Anything else we need to know?:

Environment:

• Output of grype version:

Application:          grype
Version:              0.65.1
Syft Version:         v0.86.1
BuildDate:            2023-08-04T13:02:31Z
GitCommit:            078a6c5e9e6e9e6e1037da6dcf953623e7d38500
GitDescription:       v0.65.1
Platform:             darwin/arm64
GoVersion:            go1.19.11
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

[westonsteimel]

For now we might need to maintain a mapping of debian and ubuntu codenames -> version within grype in order to find the correct namespace in cases where version is missing, but it would be good in a future grype-db schema to ensure we encode enough information about vulnerability namespaces and providers so we can still potentially find the correct items even if some information is missing