grype icon indicating copy to clipboard operation
grype copied to clipboard
verified publisher icon anchore

False Positive Grype CVE Reporting on Backstage Jenkins plugin

Open kenlavbah opened this issue 4 years ago • 6 comments

What happened: Grype reported a false positive based on scanning a SBOM created from Syft. This SBOM was generated in standard JSON format, not CycloneDX. The false positive was generated based on using the Backstage Jenkins plugin found here

The below CVE vulnerabilities link up to Jenkins issues, not to the Backstage plugin or the NPM package

jenkins 0.28.1 CVE-2016-9299 Critical jenkins 0.28.1 CVE-2017-1000353 Critical

What you expected to happen: No Jenkins server CVE returned

How to reproduce it (as minimally and precisely as possible): Run a scan on an image that has the backstage plugin enabled

Anything else we need to know?: Syft Version is below

Version:       0.27.0
BuildDate:     2021-10-21T19:11:36Z
GitCommit:     89242e6ed32528132ac79635a856b7a04a77014f
GitTreeState:  clean
Platform:      darwin/amd64
GoVersion:     go1.16.9
Compiler:      gc

Environment:

  • Output of grype version:
Version:              0.16.0
BuildDate:            2021-08-18T15:41:58Z
GitCommit:            01a77d5c451455e6125f26178db6fe2da2b7675d
GitTreeState:         clean
Platform:             darwin/amd64
GoVersion:            go1.16.7
Compiler:             gc
Supported DB Schema:  3
  • OS (e.g: cat /etc/os-release or similar):

kenlavbah avatar Nov 03 '21 14:11 kenlavbah

https://github.com/anchore/grype/issues/496 appears to be experiencing the same

kenlavbah avatar Nov 10 '21 18:11 kenlavbah

Thanks for the report, @kenlavbah! Do you have an image URL or Dockerfile handy we can use to reproduce this?

Also, this might not resolve the issue, but there have been several Grype releases and a few Syft releases since the versions reported in the description — it'd be worth updating, just at a minimum.

luhring avatar Nov 10 '21 19:11 luhring

@luhring - thank you for the quick reply!

I'll update first, and see if it flags the same CVE. If not, I'll paste a docker file here for repro.

kenlavbah avatar Nov 10 '21 19:11 kenlavbah

@luhring - Dockerfile and files located here https://github.com/ConnorDY/npm-jenkins-cve-false-positive-reproduction

kenlavbah avatar Nov 12 '21 14:11 kenlavbah

Tested with the the following versions, and repo'd

Application:   syft
Version:       0.29.0
BuildDate:     2021-10-31T15:22:19Z
GitCommit:     a2882ee810edcbf4db3230e982c316b261eb17cd
GitTreeState:  clean
Platform:      darwin/amd64
GoVersion:     go1.16.9
Compiler:      gc

Application:          grype
Version:              0.24.1
Syft Version:         v0.29.0
BuildDate:            2021-11-05T16:53:26Z
GitCommit:            00aa7d452348cdd1a94b25a78d0d04c6ff3fff6d
GitTreeState:         clean
Platform:             darwin/amd64
GoVersion:            go1.16.9
Compiler:             gc
Supported DB Schema:  3

kenlavbah avatar Nov 12 '21 14:11 kenlavbah

@kenlavbah Thanks! I was able to reproduce this. And I think you're right about the link to #496.

Thanks again for the report!

luhring avatar Nov 24 '21 18:11 luhring

Hi @kenlavbah ! Thanks for reporting this issue. I'm no longer able to reproduce this:

mkdir jenkins && cd jenkins && npm init -y && npm i @backstage/plugin-jenkins && grype dir:.

finds no vulnerabilities right now.

I believe this was fixed in https://github.com/anchore/grype/releases/tag/v0.60.0, which turned off matching by CPE on NPM packages by default. Please let us know if you're still experiencing this issue.

willmurphyscode avatar Jun 06 '23 15:06 willmurphyscode

Added changelog-ignore because this was fixed in 0.60.0 and so shouldn't be included in the current release's release notes.

willmurphyscode avatar Jun 21 '23 14:06 willmurphyscode