Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive for pkg:gem/[email protected] CVE-2022-29631 #921

Closed
ben-elttam opened this issue Sep 13, 2022 · 5 comments
Closed

False Positive for pkg:gem/[email protected] CVE-2022-29631 #921

ben-elttam opened this issue Sep 13, 2022 · 5 comments
Assignees
@willmurphyscode
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog ecosystem:ruby relating to the ruby ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching false-positive

Comments

@ben-elttam
Copy link

ben-elttam commented Sep 13, 2022
edited
Loading

What happened:

False Positive for CVE-2022-29631
oblac/jodd-http#9
Which is Java not Ruby, and jodd-http vs http

What you expected to happen:
No vulnerability reported

How to reproduce it (as minimally and precisely as possible):

Gemfile.lock with http (5.1.0)

Gemfile.lock:

GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.8.4)
      public_suffix (>= 2.0.2, < 6.0)
    domain_name (0.5.20190701)
      unf (>= 0.0.5, < 1.0.0)
    ffi (1.15.5)
    ffi-compiler (1.0.1)
      ffi (>= 1.0.0)
      rake
    http (5.1.0)
      addressable (~> 2.8)
      http-cookie (~> 1.0)
      http-form_data (~> 2.2)
      llhttp-ffi (~> 0.4.0)
    http-cookie (1.0.5)
      domain_name (~> 0.5)
    http-form_data (2.3.0)
    llhttp-ffi (0.4.0)
      ffi-compiler (~> 1.0)
      rake (~> 13.0)
    public_suffix (5.0.1)
    rake (13.0.6)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)

PLATFORMS
  x86_64-linux

DEPENDENCIES
  http (= 5.1.0)

BUNDLED WITH
   2.4.10

Produce sbom with syft: syft . -o json=sbom.json

Minimised Syft sbom.json:

{
  "artifacts": [
    {
      "id": "ae4c21b898bad8f6",
      "name": "http",
      "version": "5.1.0",
      "type": "gem",
      "foundBy": "ruby-gemfile-cataloger",
      "locations": [
        {
          "path": "Gemfile.lock"
        }
      ],
      "licenses": [],
      "language": "ruby",
      "cpes": [
        "cpe:2.3:a:ruby-lang:http:5.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby_lang:http:5.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:http:http:5.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby:http:5.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:*"
      ],
      "purl": "pkg:gem/[email protected]"
    }
  ],
  "source": {
    "id": "cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8",
    "type": "directory",
    "target": "."
  },
  "schema": {
    "version": "7.0.1",
    "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.0.1.json"
  }
}

Reproduce grype reporting CVE-2022-29631 false positive:

docker run --rm -v "$(pwd):/src" anchore/grype:v0.62.3 /src/sbom.json
NAME  INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY
http  5.1.0                gem   CVE-2022-29631  High

Anything else we need to know?:

Environment:

  • Output of grype version:
Application:          grype
Version:              0.49.0
Syft Version:         [not provided]
BuildDate:            [not provided]
GitCommit:            [not provided]
GitDescription:       [not provided]
Platform:             linux/amd64
GoVersion:            go1.19.1
Compiler:             gc
Supported DB Schema:  4

I have reproduced on v0.49.0 (latest when first reported) and v0.62.3 (latest at as of now 2023-06-14)

  • OS (e.g: cat /etc/os-release or similar):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.16.0
PRETTY_NAME="Alpine Linux v3.16"
HOME_URL="https://alpinelinux.org/"
@ben-elttam ben-elttam added the bug Something isn't working label Sep 13, 2022
@spiffcs spiffcs added this to OSS Sep 13, 2022
@spiffcs spiffcs moved this to False Positives in OSS Sep 13, 2022
@wagoodman wagoodman removed the status in OSS Apr 6, 2023
@willmurphyscode
Copy link
Contributor

Hi @ben-elttam, thanks for reporting this! I'm trying to reproduce it, but I haven't been able to.

Here's what I've tried:

mkdir http-gem && cd http-gem && \
echo "source 'https://rubygems.org'" > Gemfile  && \
echo "gem 'http', '5.1.0'" >> Gemfile && \
bundle install && grype dir:.

which prints No vulnerabilities found.

But we can see that syft is finding some packages, since syft dir:. in that directory prints:

NAME            VERSION       TYPE 
addressable     2.8.4         gem   
domain_name     0.5.20190701  gem   
ffi             1.15.5        gem   
ffi-compiler    1.0.1         gem   
http            5.1.0         gem   
http-cookie     1.0.5         gem   
http-form_data  2.3.0         gem   
llhttp-ffi      0.4.0         gem   
public_suffix   5.0.1         gem   
rake            13.0.6        gem   
unf             0.1.4         gem   
unf_ext         0.0.8.2       gem

If you believe this is still an issue, could you please provide a link to a public artifact that exhibits this false positive? For example, a public container image or git repository, or a Dockerfile or script that will produce an artifact that exhibits this false positive? Thanks!

@willmurphyscode willmurphyscode self-assigned this Jun 7, 2023
@willmurphyscode willmurphyscode moved this to Awaiting Response in OSS Jun 7, 2023
@ben-elttam
Copy link
Author

ben-elttam commented Jun 14, 2023
edited
Loading

@willmurphyscode thanks for looking into this, I've updated the OP to include more details on how to reproduce this, including the full contents of the Gemfile.lock and a minimised Syft SBOM (JSON). I've reproduced based off the SBOM with grype in docker to try the original version and latest version.

I'll hazard a guess that the problem is related to using the CPE "cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:*" for matching, rather than the purl.

@ben-elttam
Copy link
Author

I removed the cpes field from the sbom.json in the OP to test my hunch with: jq '.artifacts |= map(del(.cpes))' sbom.json > sbom2.json

sbom2.json:

{
  "artifacts": [
    {
      "id": "ae4c21b898bad8f6",
      "name": "http",
      "version": "5.1.0",
      "type": "gem",
      "foundBy": "ruby-gemfile-cataloger",
      "locations": [
        {
          "path": "Gemfile.lock"
        }
      ],
      "licenses": [],
      "language": "ruby",
      "purl": "pkg:gem/[email protected]"
    }
  ],
  "source": {
    "id": "cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8",
    "type": "directory",
    "target": "."
  },
  "schema": {
    "version": "7.0.1",
    "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.0.1.json"
  }
}

Running without cpes field

docker run --rm -v "$(pwd):/src" anchore/grype:v0.62.3 /src/sbom2.json
[0000]  WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
No vulnerabilities found

Running without cpes field, with --add-cpes-if-none option

docker run --rm -v "$(pwd):/src" anchore/grype:v0.62.3 --add-cpes-if-none  /src/sbom2.json
No vulnerabilities found

Running with CPES except wildcard "cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:*"

sbom3.json:

{
  "artifacts": [
    {
      "id": "ae4c21b898bad8f6",
      "name": "http",
      "version": "5.1.0",
      "type": "gem",
      "foundBy": "ruby-gemfile-cataloger",
      "locations": [
        {
          "path": "Gemfile.lock"
        }
      ],
      "licenses": [],
      "language": "ruby",
      "cpes": [
        "cpe:2.3:a:ruby-lang:http:5.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby_lang:http:5.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:http:http:5.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:ruby:http:5.1.0:*:*:*:*:*:*:*"
      ],
      "purl": "pkg:gem/[email protected]"
    }
  ],
  "source": {
    "id": "cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8",
    "type": "directory",
    "target": "."
  },
  "schema": {
    "version": "7.0.1",
    "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.0.1.json"
  }
}
docker run --rm -v "$(pwd):/src" anchore/grype:v0.62.3  /src/sbom3.json
No vulnerabilities found

So this indicates that the cause of the problem is related to the wildcard CPE "cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:*"

@willmurphyscode willmurphyscode added ecosystem:ruby relating to the ruby ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching labels Jun 14, 2023
@willmurphyscode willmurphyscode moved this from Awaiting Response to Backlog in OSS Jun 16, 2023
@willmurphyscode
Copy link
Contributor

willmurphyscode commented Jun 26, 2023
edited
Loading

Hi @ben-elttam, do know what version of Syft generated the SBOM with cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:* in it?

I've tried re-generating the SBOM, and I can't get it to re-generate.

Here's what I tried:

  1. Make a Gemfile.lock as in the original post
  2. Run syft packages -o json dir:.

This doesn't produce any output:

# no output when grepping for exact CPE
❯ syft packages dir:. -o json | grep -F 'cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:*'
 ✔ Indexed .
 ✔ Cataloged packages      [12 packages]

# successfully grepping for a different CPE:
❯ syft packages dir:. -o json | grep -F 'cpe:2.3:a:http:http:5.1.0:*:*:*:*:*:*:*'
 ✔ Indexed .
 ✔ Cataloged packages      [12 packages]
    "cpe:2.3:a:http:http:5.1.0:*:*:*:*:*:*:*",

Are you able to get syft or grype to generate the overly broad cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:* CPE today? I haven't been able to.

Edit: I believe this was fixed by anchore/syft#1647. Please feel free to comment if you believe there's still something here we should investigate.

@willmurphyscode willmurphyscode moved this from Backlog to Awaiting Response in OSS Jun 26, 2023
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label Jun 26, 2023
@github-project-automation github-project-automation bot moved this from Awaiting Response to Done in OSS Jun 26, 2023
@ben-elttam
Copy link
Author

The SBOM with cpe:2.3:a:*:http:5.1.0:*:*:*:*:*:*:* was produced by Syft 0.74.0. I see that anchore/syft#1647 was fixed in 0.74.1.

Thanks for investigating. With Syft no longer producing SBOMs with wildcard CPEs, grype will no longer match vulnerabilities from other ecosystems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog ecosystem:ruby relating to the ruby ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching false-positive
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@westonsteimel @willmurphyscode @ben-elttam