Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positive: CVE-2021-22696 Apache Cxf-Xjc-Runtime vs Apache Cxf #1333

Closed
sekveaja opened this issue Jun 1, 2023 · 3 comments
Closed
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive:cpe This issue is a report of a false positive cause by CPE matching

Comments

@sekveaja
Copy link

sekveaja commented Jun 1, 2023

What happened:
Using Apache cxf-xfc-runtime version 3.3.1
"package_cpe23": "cpe:2.3:a:apache:cxf-xjc-runtime:3.3.1:::::::*",
"package_path": "/opt/jboss/keycloak/modules/system/layers/base/org/apache/cxf/impl/main/cxf-xjc-runtime-3.3.1.jar",

Reported: CVE-2021-22696 on NVD
"criteria": "cpe:2.3:a:apache:cxf::::::::"

Grype reports vulnerability CVE-2021-22696 related to Apache CXF.
Apache CXF and Apache CXF XFC Runtime are different application.
Therefore, it is a false positive.

What you expected to happen:

Should not reported apache:cxf-xjc-runtime to apache:cxf.

Environment:

  • Output of grype version: 0.61.1
  • OS (e.g: cat /etc/os-release or similar): SLES 15 SP4
@sekveaja sekveaja added the bug Something isn't working label Jun 1, 2023
@sekveaja sekveaja changed the title False Positive: CVE-2021-22696 False Positive: CVE-2021-22696 Apache Cxf-Xjc-Runtime vs Apache Cxf Jun 1, 2023
@tgerla tgerla added this to OSS Jun 14, 2023
@tgerla tgerla added the false-positive:cpe This issue is a report of a false positive cause by CPE matching label Jun 14, 2023
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label Apr 19, 2024
@willmurphyscode
Copy link
Contributor

willmurphyscode commented Apr 19, 2024

Hi @sekveaja,

This was fixed by the switch from using CPE matching by default to using GHSA package ecosystem matching by default. It no longer reproduces:

echo "FROM alpine:latest

RUN wget 'https://repo1.maven.org/maven2/org/apache/cxf/xjc-utils/cxf-xjc-runtime/3.3.1/cxf-xjc-runtime-3.3.1.jar'
" > Dockerfile

docker build -t testimage .
grype -q testimage | grep java # prints nothing

However, if we turn CPE matching back on, we can see:

$ GRYPE_MATCH_JAVA_USING_CPES=true grype -q testimage | grep java
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2022-46364  Critical
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2019-12419  Critical
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2022-46363  High
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2021-30468  High
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2021-22696  High
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2019-12423  High
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2020-1954   Medium
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2020-13954  Medium
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2019-17573  Medium
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2019-12406  Medium
cxf-xjc-runtime  3.3.1                 java-archive  CVE-2024-28752  Unknown

I'm closing this as completed, since the false positive no longer occurs on default configuration grype. Please let me know if I've missed anything.

@sekveaja
Copy link
Author

Thank you @willmurphyscode for the input.
From which version that Grype is using GHSA package ecosystem matching by default?

@spiffcs
Copy link
Contributor

spiffcs commented May 1, 2024

@sekveaja looks like it was this release:
https://github.com/anchore/grype/releases/tag/v0.71.0

This PR
#1412

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive:cpe This issue is a report of a false positive cause by CPE matching
Projects
Archived in project
Development

No branches or pull requests

4 participants