Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FP in upstream of a package that doesn't exist #2327

Open
tomersein opened this issue Dec 12, 2024 · 0 comments
Open

FP in upstream of a package that doesn't exist #2327

tomersein opened this issue Dec 12, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@tomersein
Copy link
Contributor

What happened:
I am scanning a VM machine and getting vulnerabilities due to indirect match. however, the package which it points on doesn't exist in the machine, but other package with a different version.
for example:

  "vulnerability": {
    "id": "CVE-2024-8805",
    "dataSource": "https://ubuntu.com/security/CVE-2024-8805",
    "namespace": "ubuntu:distro:ubuntu:24.04",
    "severity": "Medium",
    "urls": [
      "https://ubuntu.com/security/CVE-2024-8805"
    ],
    "cvss": [],
    "fix": {
      "versions": [],
      "state": "not-fixed"
    },
    "advisories": []
  },
  "relatedVulnerabilities": [],
  "matchDetails": [
    {
      "type": "exact-indirect-match",
      "matcher": "dpkg-matcher",
      "searchedBy": {
        "distro": {
          "type": "ubuntu",
          "version": "24.04"
        },
        "namespace": "ubuntu:distro:ubuntu:24.04",
        "package": {
          "name": "linux",
          "version": "6.8.0-49.49"
        }
      },
      "found": {
        "versionConstraint": "none (deb)",
        "vulnerabilityID": "CVE-2024-8805"
      }
    }
  ],
  "artifact": {
    "id": "07d8f953b8bfcc87",
    **"name": "linux-tools-common",
    "version": "6.8.0-49.49",**
    "type": "deb",
    "locations": [
      {
        "path": "/usr/share/doc/linux-tools-common/copyright"
      },
      {
        "path": "/var/lib/dpkg/info/linux-tools-common.md5sums"
      },
      {
        "path": "/var/lib/dpkg/status"
      }
    ],
    "language": "",
    "licenses": [
      "GPL-2"
    ],
    "cpes": [
      "cpe:2.3:a:linux-tools-common:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux-tools-common:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux_tools_common:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux_tools_common:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux-tools:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux-tools:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux_tools:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux_tools:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
      "cpe:2.3:a:linux:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*"
    ],
    "purl": "pkg:deb/ubuntu/linux-tools-common@6.8.0-49.49?arch=all&upstream=linux&distro=ubuntu-24.04",
    "upstreams": [
      {
        "name": "linux"
      }
    ]
  }
},

when I look for the linux package in grype, I can't see it. A higher version of linux is installed in the machine.
I suspect the logic of upstream doesn't consider wether a higher version of linux \ kernel is installed and therefor we get lots of FP.

What you expected to happen:
validate a package exists in the SBOM before using the upstream.

How to reproduce it (as minimally and precisely as possible):
scan a machine of AWS and you will see it

Anything else we need to know?:

Environment:

Output of grype version: 0.85.0
OS (e.g: cat /etc/os-release or similar):ubuntu 24:04

@tomersein tomersein added the bug Something isn't working label Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: No status
Development

No branches or pull requests

1 participant