No FIXED-IN values for CVE findings

[hotpheex]

What happened:
Grype scan outputs contain no values in the FIXED-IN column for CVE-... vulnerabilities.
Is this a limitation of the tool or an upcoming feature?

What you expected to happen:
FIXED-IN column to output versions that remediate the vulnerability.

How to reproduce it (as minimally and precisely as possible):
grype scan an image that has CVE and GHSA findings

NAME                     INSTALLED         FIXED-IN          VULNERABILITY        SEVERITY
akka                     2.2-1.0                             CVE-2017-1000034     High
akka                     2.1-1.0                             CVE-2017-1000034     High
async-http-client        2.0.0-1.0                           CVE-2017-14063       High
commons-beanutils        1.8.3             1.9.2             GHSA-p66x-2cv9-qq3v  High
commons-beanutils        1.8.3             1.9.4             GHSA-6phf-73q6-gh87  High
cxf                      2.7-1.0                             CVE-2015-5253        Medium
grails                   2-1.0                               CVE-2019-12728       High
guava                    13.0.1            24.1.1            GHSA-mvr2-9pj6-7w5j  Medium
guava                    13.0.1                              CVE-2020-8908        Low
guava                    13.0.1                              CVE-2018-10237       Medium
guava                    19.0              24.1.1            GHSA-mvr2-9pj6-7w5j  Medium
guava                    19.0                                CVE-2020-8908        Low
guava                    19.0                                CVE-2018-10237       Medium
hibernate-validator      6.0.10.Final      6.0.18            GHSA-m8p2-495h-ccmh  Medium

Anything else we need to know?:
We are using the scan output and failing builds with Critical vulnerabilities, if there is a FIXED-IN value.
Due to CVE findings not publishing known fixed-in values builds with many old critical vulnerabilities are passing.

Environment:

Application:          grype
Version:              0.7.0
BuildDate:            2021-01-28T14:03:23Z
GitCommit:            8344b8f0d3f61729cf0845c08b31f26103e21231
GitTreeState:         clean
Platform:             darwin/amd64
GoVersion:            go1.14.14
Compiler:             gc
Supported DB Schema:  1

[luhring]

We can double-check this, but I believe the issue is the upstream NVD data itself. In GitHub’s data, they declare explicitly what the “FixedIn” version is for a reported vulnerability if there is one. The NVD data doesn’t do this. Through CPEs, they describe what versions are vulnerable, but they don’t explicitly list versions that are fixed. (And it wouldn’t be safe for grype to assume versions after the listed vulnerable versions have been patched.)

However, one thing we find is that even though there’s no explicit field in the NVD data, the Description field (a string, usually several sentences) sometimes includes phrases like “This is fixed as of version 2.5.10".

So, one option for a future feature would be to make a best-effort attempt to parse out “fixed in” data from the description string. This would be non-authoritative, and we’d need to represent it as such, but it could be useful for grype users in certain contexts.

Notes for developers

In considering this strategy, it's useful to look at the JSON output from the Feeds service for NVD data. Here's an example command that returns an array of Description strings that contain "fixed in", just to help explore what kind of data we might be able to harvest:

cat nvdv2-nvdv2:cves-109.json | jq 'map(.cve.description.description_data[0].value | select(test("fixed in"; "i")))' -C | less

Looking at this output, you'll notice that some phrases seem very helpful:

In TensorFlow before 1.15, ...

... fixed internally in TensorFlow 1.15 and 2.0.

This issue is fixed in Waitress 1.4.0.

While other phrases seem more difficult for extracting "fixed in" data:

... vulnerability in the Windows Service in TeamViewer versions up to 11.0.133222 (fixed in 11.0.
214397), 12.0.181268 (fixed in 12.0.214399), 13.2.36215 (fixed in 13.2.36216), and 14.6.4835 (fixed in 14.7.1965) o
n Windows could allow an attacker to ...

There are also instances of the phrase "fixed in" being used to describe related software, but not the matched artifact itself (e.g. a VS Code extension that uses a binary that's vulnerable). We'd want to be careful not to include these kinds of instances, which may be hard to do.

[spiffcs]

@hotpheex looks like this issue has been addressed and I'll be closing it for now - if you have other questions feel free to respond here and I'll reopen or answer.

Thanks!

[ghost]

Could this issue be reopened please? It's related to #1178 (old, fixed, vulnerabilities are passing).

When comparing trivy to grype we noticed that trivy is able to report 'fixed in' versions for java archive CVEs, while grype only reported the fixed in versions for the GHSA- vulnerabilities.

Grype

NAME                      INSTALLED            FIXED-IN                   TYPE          VULNERABILITY        SEVERITY          
jackson-databind          2.8.8                                           java-archive  CVE-2020-8840        Critical    
jackson-databind          2.8.8                                           java-archive  CVE-2020-9546        Critical    
jackson-databind          2.8.8                                           java-archive  CVE-2020-9547        Critical    
jackson-databind          2.8.8                                           java-archive  CVE-2020-9548        Critical    
jackson-databind          2.8.8                                           java-archive  CVE-2022-42003       High        
jackson-databind          2.8.8                                           java-archive  CVE-2022-42004       High        
jackson-databind          2.8.8                2.12.6.1                   java-archive  GHSA-57j2-w4cx-62h2  High        
jackson-databind          2.8.8                2.12.7.1                   java-archive  GHSA-jjjh-jjxp-wpff  High        
jackson-databind          2.8.8                2.12.7.1                   java-archive  GHSA-rgv9-q543-rqg4  High        
jackson-databind          2.8.8                2.8.11                     java-archive  GHSA-h592-38cm-4ggp  Critical    
jackson-databind          2.8.8                2.8.11                     java-archive  GHSA-rfx6-vp9g-rh7v  Critical
[...]
jackson-databind          2.8.8                2.9.10.4                   java-archive  GHSA-q93h-jc49-78gg  Critical

Trivy:

|                     LIBRARY                      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                                      TITLE 
                                                  | CVE-2020-9547    |          |                   | 2.9.10.4                       | jackson-databind: Serialization                                                 |
|                                                  |                  |          |                   |                                | gadgets in ibatis-sqlmap                                                        |
|                                                  |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9547                                            |
+                                                  +------------------+          +                   +                                +---------------------------------------------------------------------------------+
|                                                  | CVE-2020-9548    |          |                   |                                | jackson-databind: Serialization                                                 |
|                                                  |                  |          |                   |                                | gadgets in anteros-core                                                         |
|                                                  |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9548  

Test image:
docker.io/s3curitybug/jackson-databind-cves

As it turns out CVE-2020-9547 is also tracked under GHSA-q93h-jc49-78gg, so the same vulnerability is included twice in the output of grype (once with a fixed version, and once without).

I think in this case it would be better to report these vulnerabilities once (like trivy does) with the fixed version filled.

EDIT: using the --by-cve flag doesn't filter out the duplicates (and also takes 10x as long, from 15s to 2m38s). Both CVE-2020-9547 and GHSA-q93h-jc49-78gg are still in the output and only the GHSA-q93h-jc49-78gg one has a fixed version.

./grype version
Application:          grype
Version:              0.59.1
Syft Version:         v0.74.1
BuildDate:            2023-03-09T14:57:12Z
GitCommit:            29b646568901d1ef48a528cf35f67f3cead49c9f
GitDescription:       v0.59.1
Platform:             linux/amd64
GoVersion:            go1.19.6
Compiler:             gc
Supported DB Schema:  5

[luhring]

I think this issue is worth re-opening for discussion!

@jneate's comment is correct: if you look at NVD's raw data, contrary to what I said a few years back, there is machine-readable version range data in the CPE configurations worth re-examining.

IIRC, back in the day we were squeamish about using the word "fixed" with NVD data, since the literal word "fixed" didn't appear in the data fields.

On top of this, some version ranges were inconclusive! For example, we saw affected ranges like >= v1.0.0 and <= v1.9. What on earth is this saying? Less than v1.9 is affected, but also v1.9 is affected? Where does it end??

However, NVD also has more definitive version ranges, such as < 2.1.1 — i.e. a definitive point in the version history at which the software is no longer vulnerable. In all cases I've examined, this is the fixed version, and this can be confirmed by any data available (such as in related GHSAs).

So my current thinking is that the case for not using these exclusive range ends as the fixed version is tenuous.

[spiffcs]

Reopening this now - we have a good foundation for a way forward to possibly get more information into the database via vunnel in schema v6. I'll follow up with a more detailed comment outlining this approach in the future - thanks for the heads up on reopening this!

[willmurphyscode]

I think inferring fixed-in information from NVD data is still problematic, not because we're squeamish about the lack of the word "fix", but because the data doesn't seem to use versionEndExcluding consistently to mean, "fixed in this version." (Example also used at anchore/grype-db#112 (comment).) For example, at https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-21930, we can see:

                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*",
                    "versionEndExcluding": "8",
                    "matchCriteriaId": "111E81BB-7D96-44EB-ACFA-415C3F3EA62A"
                  },
... snip ...
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*",
                    "matchCriteriaId": "70892D06-6E75-4425-BBF0-4B684EC62A1C"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:oracle:openjdk:8:milestone1:*:*:*:*:*:*",
                    "matchCriteriaId": "7A165D71-71CC-4E6A-AA4F-FF8DB5B9A5AB"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:oracle:openjdk:8:milestone2:*:*:*:*:*:*",
                    "matchCriteriaId": "7417B2BB-9AC2-4AF4-A828-C89A0735AD92"
                  },

This has a CPE match with versionEndExcluding of 8, but then later on version 8 itself, and version 8 milestone 1 (and a ton more version 8 variants) are marked as vulnerable. So I think treating "versionEndExcluding: 8" to mean "fixed in version 8" will lead to false negatives because of data like this.

Maybe it's possible to do clever parsing here, but we see a lot of inconsistency in how NVD represents things, so I don't think we'd be able to consistently make correct inferences.

That said, now that Grype uses GHSA by default for ecosystems GHSA supports, maybe this issue is less important?

[luhring]

This CPE data says that version 8 is vulnerable, so I wouldn't think we'd want logic that suggests that version 8 is a fixed version here, regardless.

You're definitely right that there's a range of how definitive CPE data is. My suggestion would be to focus on the more definitive cases (i.e. not this one), so that we can have an incremental improvement for users, even if we won't solve the problem for every CVE.

I think treating "versionEndExcluding: 8" to mean "fixed in version 8" will lead to false negatives because of data like this.

I could missing something, but I don't think anyone is asking for changes in matching behavior here — I think this is just about the data being surfaced in existing NVD-based matches. So since matching behavior wouldn't be altered, there wouldn't be a risk of new false negatives. For example, if there were a single CPE version range of "< 8", then version 8 in an installed package shouldn't be matched to this CVE regardless of what "fix" information is being inferred.