Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

correctly identify version of traefik binaries #2178

Closed
mcarbonne opened this issue Oct 11, 2024 · 0 comments · Fixed by #2179
Closed

correctly identify version of traefik binaries #2178

mcarbonne opened this issue Oct 11, 2024 · 0 comments · Fixed by #2179
Labels
bug Something isn't working

Comments

@mcarbonne
Copy link

mcarbonne commented Oct 11, 2024
edited
Loading

What happened:
I wanted to try if grype was able to correctly detect CVE in my running images, so I tried the following :

$ grype traefik:3.1.2 
 ✔ Loaded image                                                                                                                                                          traefik:3.1.2
 ✔ Parsed image                                                                                                sha256:0c02a120479c5db9809725d9bf5b125ffbc79266e4e6dc1e5225bff876880453
 ✔ Cataloged contents                                                                                                 86e75bc67ff99e9ee7f53102f1ffd34ef0c0742682bfb1069283ed4ee4e91be3
   ├── ✔ Packages                        [321 packages]  
   ├── ✔ File digests                    [574 files]  
   ├── ✔ File metadata                   [574 locations]  
   └── ✔ Executables                     [20 executables]  
 ✔ Scanned for vulnerabilities     [4 vulnerability matches]  
   ├── by severity: 0 critical, 2 high, 1 medium, 0 low, 0 negligible (1 unknown)
   └── by status:   0 fixed, 4 not-fixed, 0 ignored 
NAME                        INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
gopkg.in/square/go-jose.v2  v2.5.1               go-module  GHSA-c5q2-7r4c-mv6g  Medium    
stdlib                      go1.22.5             go-module  CVE-2024-34158       High      
stdlib                      go1.22.5             go-module  CVE-2024-34156       High      
stdlib                      go1.22.5             go-module  CVE-2024-34155       Unknown

But for example, CVE-2024-45410 (9.8) isn't detected.
Next, I did download the database used by grype, and the CVE is there.

My first guess was that grype was only analyzing dependencies, but not the software itself, so I ran syft to check the detected SBOM, but traefik was correctly detected:

$ syft traefik:3.1.2 
 ✔ Loaded image                                                                                                                                                          traefik:3.1.2
 ✔ Parsed image                                                                                                sha256:0c02a120479c5db9809725d9bf5b125ffbc79266e4e6dc1e5225bff876880453
 ✔ Cataloged contents                                                                                                 86e75bc67ff99e9ee7f53102f1ffd34ef0c0742682bfb1069283ed4ee4e91be3
   ├── ✔ Packages                        [321 packages]  
   ├── ✔ File digests                    [574 files]  
   ├── ✔ File metadata                   [574 locations]  
   └── ✔ Executables                     [20 executables]  
NAME                                                                                  VERSION                                TYPE        
[...]    
github.com/traefik/grpc-web                                                           v0.16.0                                go-module    
github.com/traefik/http-wasm-host-go                                                  v0.0.0-20240618100324-3c53dcaa1a70     go-module    
github.com/traefik/paerser                                                            v0.2.0                                 go-module    
github.com/traefik/traefik/v3                                                         v0.0.0-20240806133403-4c4780f88692     go-module    
github.com/traefik/yaegi                                                              v0.16.1                                go-module    
[...]   
traefik                                                                               3.1.2                                  binary
@mcarbonne mcarbonne added the bug Something isn't working label Oct 11, 2024
@westonsteimel westonsteimel mentioned this issue Oct 11, 2024
Merged
@github-project-automation github-project-automation bot moved this to Done in OSS Oct 11, 2024
@westonsteimel westonsteimel mentioned this issue Oct 14, 2024
Merged
@willmurphyscode willmurphyscode changed the title Not detecting vulnerability of a docker image whereas available in database correctly identify version of traefik binaries Oct 15, 2024
@BrewTestBot BrewTestBot mentioned this issue Oct 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: exclude binary packages from CPE target software component filter logic anchore/grype
1 participant
@mcarbonne