parsing of vulnerability reports is not entirely correct #1
Assignees
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Under certain circumstances the score of vulnerabilities is not parsed correctly.
This seems to occur when grype sees a related vulnerability with the same id, then the score does not get added to the main vulnerability
[A clear and concise description of what the bug is, and what commands you ran.]
the parsed report should contain the correct score for the vulnerability
[Miscellaneous information that will assist in solving the issue.]
i will fix that
related issue anchore/grype#734
example report that will trigger the parsing error:
{"matches": [ { "vulnerability": { "id": "CVE-2021-28831", "dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", "namespace": "alpine:3.10", "severity": "High", "urls": [ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831" ], "cvss": [], "fix": { "versions": [ "1.30.1-r5" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2021-28831", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", "namespace": "nvd", "severity": "High", "urls": [ "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", ], "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ ... ], "artifact": { ... } } ]}The text was updated successfully, but these errors were encountered: