grype icon indicating copy to clipboard operation
grype copied to clipboard
verified publisher icon anchore

Grype is catching a false positive on spring-boot-starter-web because it cannot detect inherited version from parent

Open cezapata opened this issue 3 years ago • 7 comments

What happened: After using the Spring Initializer tool to create a new Spring Boot App (version 2.7.5) with the Spring Web dependency, building, and running Grype to scan for vulnerabilities, we get a vulnerability detected on the following package:

spring-boot-starter-web: GHSA-36p3-wjmg-h94x

image

What you expected to happen:

When installing the dependencies, the spring-boot-starter-web package installs a version that is consistent with its parent artifact (spring-boot-starter-parent) which maps to version 2.7.5

I was expecting grype to detect the version, and note that the vulnerability it indicates does not apply since it was fixed as a prior version (2.5.12). However, the engine does not pick it up, and displays an empty version in use for the package:

image

How to reproduce it (as minimally and precisely as possible): I have set up a repo with a dev container configured to run the repro with instructions here:

https://github.com/cezapata/appconfiguration-sample

You can run the codespace, install the maven dependencies on the app, and then run grype. Among the vulnerabilities detected, we will display GHSA-36p3-wjmg-h94x.

Anything else we need to know?:

Hard-coding the version on the dependencies fixes the problem, but we would like all the dependencies to be controlled by the parent.

Environment:

  • Output of grype version: Application: grype Version: 0.53.0 Syft Version: v0.62.0 BuildDate: 2022-11-18T20:36:40Z GitCommit: a4a62aab4bbd8aacdd639a59b9ceb1684398c6b6 GitDescription: v0.53.0 Platform: linux/amd64 GoVersion: go1.18.7 Compiler: gc Supported DB Schema: 5

  • OS (e.g: cat /etc/os-release or similar): PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

cezapata avatar Nov 22 '22 19:11 cezapata

Just to add some more context here: Syft is currently a static analysis tool and does not currently look up anything from the internet, so scanning a pom.xml with a parent pom won't have the fidelity it could. We are investigating a number of solutions for this, all of which take Syft outside the realm of strictly a static analysis tool: invoking mvn, looking things up directly against a maven repo. This is definitely an important thing for us to solve 👍

kzantow avatar Nov 22 '22 20:11 kzantow

Any news on that? Grype not beeing able to detect inherited versions from a parent seems to be a bigger issue.

Restage avatar Oct 25 '23 07:10 Restage

Hi @Restage - no particular update here, but https://github.com/anchore/syft/issues/1562 is a discussion of how to enable Syft to capture more information about this type of dependency relationship so that it can be exposed to Grype.

willmurphyscode avatar Oct 26 '23 13:10 willmurphyscode

i'm using lastest spring-boot-starter-parent 3.2.0 with graalvm21 when scanning the image i have the following; NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
spring-boot-starter-web 2.5.12 java-archive GHSA-36p3-wjmg-h94x Critical

i have no forced reference to a version of spring-boot-starter-web. When doing a simple build i only have spring 6.1.1 and springboot 3.2.0 references.... Is it a problem with grype/sbom ? Or i'm missing something ?

Thanks in advance

Wouimbly avatar Dec 08 '23 15:12 Wouimbly

Thanks @cezapata for the excellent repro steps and example repository.

I want to try to state the issue as simply as possible so we can try to start working on it.

To reproduce:

git clone [email protected]:cezapata/appconfiguration-sample.git
grype -q appconfiguration-sample | grep GHSA-36p3-wjmg-h94x

Grype still finds the vulnerability.

Looking at the syft output:

syft -q appconfiguration-sample
NAME                                        VERSION  TYPE
azure-spring-cloud-appconfiguration-config  2.9.0    java-archive
maven-wrapper                               3.1.0    java-archive
spring-boot-starter-test                             java-archive
spring-boot-starter-web                              java-archive

Syft doesn't know the version of spring-boot-starter-web because it's not explicitly in the pom.xml.

However, the <relativePath/> directive in the parent node of the pom.xml is enough that syft should know to go ask Maven Central what version of spring-boot-starter-web should be installed for version 2.7.5 of spring-boot-starter-parent. Do I have that right?

willmurphyscode avatar Dec 11 '23 11:12 willmurphyscode

Note to developers: this would need to be implemented in Syft, a couple related issues are:

  • https://github.com/anchore/syft/issues/1129
  • https://github.com/anchore/syft/issues/2017

kzantow avatar Jan 18 '24 21:01 kzantow