grype icon indicating copy to clipboard operation
grype copied to clipboard
verified publisher icon anchore

Unable to parse apk constraint phrase: failed to create comparator for '&{>= 1.0.2zk}'

Open bergernir opened this issue 1 year ago • 1 comments

What happened: Scans started to fail, with the next error message: "error creating a constraint: version: 1.1.1y error: unable to parse apk constraint phrase: failed to create comparator for '&{>= 1.0.2zk}': unable to parse constraint version (1.0.2zk): invalid version"

What you expected to happen: Scan should pass

Anything else we need to know?: It looks like it is the same bug you had before: https://github.com/anchore/grype/issues/2048

Environment:

  • Output of grype version: 0.80.1
  • OS (e.g: cat /etc/os-release or similar): Linux

bergernir avatar Oct 16 '24 07:10 bergernir

This exception happens on any package that contains the next CVE: "CVE-2024-5535".

bergernir avatar Oct 20 '24 13:10 bergernir

Hi @bergernir thanks for the report!

I'm trying to investigate, and I haven't been able to trigger this error behavior. It looks like you're scanning a particular Alpine image with libssl or openssl installed? Can you share any more details that might help us reproduce the issue? For example, a link to a public image that exhibits the issue, or a snippet of Dockerfile that can be used to build an image that triggers the issue would be a big help. What version of Alpine? What version of OpenSSL? Even an alpine version and the apk add command that triggers this issue would probably be enough.

Also, I have a few questions that will help me understand and fix the bug:

  1. Does the issue happen on the latest version of grype 0.82.0 as of this writing?
  2. Does the issue still happen with today's vulnerability database (that is, after grype db update)?
  3. Are you running grype directly on an image?
  4. What version of alpine and openssl are present in the image?

You mentioned that this is the same issue as #2048, but the Dockerfile snippet from that image scans fine for me.

I'll keep investigating regardless, but a few more details would be a big help. Thanks!

willmurphyscode avatar Oct 21 '24 14:10 willmurphyscode

Hi @willmurphyscode, thanks for your assistance. Yesterday, we updated the Grype version from 0.80.2 to 0.82.1 and this error message has been stopped.

bergernir avatar Oct 22 '24 14:10 bergernir

Thanks for letting us know!

willmurphyscode avatar Oct 23 '24 13:10 willmurphyscode

Hello, I'm facing the same issue with grype 0.83.0 [0222] ERROR failed to inflate vulnerability record (by language): failed to parse constraint='>=1.7.0,<1.9.0ubuntu1.2' format='Python': unable to parse pep440 constrain phrase failed to create comparator for '&{< 1.9.0ubuntu1.2}': unable to parse

de4Ru avatar Oct 31 '24 16:10 de4Ru

Hi @de4Ru - the issue you're facing is with Python packages, not APKs, so I made it it's own issue, #2229, but the error messages do look very similar. Thanks for the report! Please follow #2229 for updates.

willmurphyscode avatar Oct 31 '24 20:10 willmurphyscode

@willmurphyscode I think this is a good subject to discuss in the OSS weekly chat.. how to monitor bad values are not getting inside the DB and causes failures. maybe worth running a script which will check the version meeting the constraints of the versions.

tomersein avatar Nov 11 '24 11:11 tomersein