Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grype fails to detect postgresql jdbc driver CVEs when scanning .jar #1482

Closed
ColinMcMicken opened this issue Sep 7, 2023 · 2 comments
Closed

Grype fails to detect postgresql jdbc driver CVEs when scanning .jar #1482

ColinMcMicken opened this issue Sep 7, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@ColinMcMicken
Copy link

What happened:

Scanned postgresql jdbc driver (42.3.3) .jar file using grype.
Was given a false-positive PostgreSQL CVE (not jdbc driver): CVE-2017-8806

What you expected to happen:

Be given two active CVEs for the postgresql jdbc driver of that version (42.3.3.): CVE-2022-31197, CVE-2022-41946

How to reproduce it (as minimally and precisely as possible):

Download postgresql jdbc driver 42.3.3 & Scan dir with .jar file using grype:

mkdir ./tmp
curl -L https://repo1.maven.org/maven2/org/postgresql/postgresql/42.3.3/postgresql-42.3.3.jar --output ./tmp/postgresql-42.3.3.jar
grype dir:./tmp/

Anything else we need to know?:

Syft correctly identifies the jar as being JDBC driver for postgresql and lists one or more cpes indicating the postgres jdbc driver

syft file:./tmp/postgresql-42.3.3.jar --output syft-json > ./postgresql-42.3.3.syft-json.json

a few of the cpes lines of the syft-json file:

        "cpe:2.3:a:osgi:PGBundleActivator:42.3.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:postgresql:postgresql:42.3.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:jdbc:postgresql:42.3.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:osgi:postgresql:42.3.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:postgresql:jdbc:42.3.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:postgresql:osgi:42.3.3:*:*:*:*:*:*:*",

Environment:

  • Output of grype version:
Application:          grype
Version:              0.66.0
Syft Version:         v0.89.0
BuildDate:            2023-08-31T16:47:21Z
GitCommit:            35ffa2ac421130af2b8578464a6657aae98295ed
GitDescription:       v0.66.0
Platform:             linux/amd64
GoVersion:            go1.19.12
Compiler:             gc
Supported DB Schema:  5
  • OS (e.g: cat /etc/os-release or similar):
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
  • Output of syft version:
Application:        syft
Version:            0.69.0
JsonSchemaVersion:  6.2.0
BuildDate:          2023-01-30T19:00:28Z
GitCommit:          b81c9805dcc9bf25dad7659fd9c2bbf7dd3f3d90
GitDescription:     v0.69.0
Platform:           linux/amd64
GoVersion:          go1.18.10
Compiler:           gc
@ColinMcMicken ColinMcMicken added the bug Something isn't working label Sep 7, 2023
@tgerla
Copy link
Contributor

tgerla commented Oct 26, 2023

Hi @ColinMcMicken, we believe these false positives and negatives have been fixed in the latest version of Grype. Can you upgrade and let us know? Thanks!

@tgerla tgerla moved this to Awaiting Response in OSS Oct 26, 2023
@ColinMcMicken
Copy link
Author

TY. I can confirm this as fixed in 0.72.0

@github-project-automation github-project-automation bot moved this from Awaiting Response to Done in OSS Oct 27, 2023
@Porkepix Porkepix mentioned this issue Nov 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tgerla @ColinMcMicken