Java CVEs not detected from sparse CycloneDX SBOM #723
Comments
|
SBOM to test with: running |
|
This is an excellent find @jonmcewen! Thanks for filing this issue. Because we do matching for the java ecosystem using cpe generation from syft we're showing our bias a bit with this omission. I think the best way forward here is to take your example and use the PURL string as a fallback in grype to surface CVE if no CPE information is available. There is a good discussion around if we should mix and provide all CVE if both are provided. Either way we've pulled this forward so that we can hit the case where PURL exists and cpe does not! |
|
I raised a syft PR to fix this. Seems like I forgot to link to this. This PR: anchore/syft#957 |
|
Yep! Just validated this today and it looks like the PR fixed the underlying issue: Thanks again for the great contribution @jonmcewen!
|
What happened:
When using grype to check a CycloneDX SBOM not produced by syft, Java vulnerabilities were not detected.
What you expected to happen:
Vulnerabilities should be found by language when there is no CPE and no syft metadata
How to reproduce it (as minimally and precisely as possible):
Using a CycloneDX SBOM with minimal component info and known CVEs such as:
{
"name" : "log4j-core",
"version" : "2.13.3",
"purl" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar",
"type" : "library",
"bom-ref" : "pkg:maven/org.apache.logging.log4j/log4j-core@2.13.3?type=jar"
},
Running grype will not find any CVEs.
Anything else we need to know?:
Relates to anchore/syft#953
Environment:
Output of grype version: 0.34.7
OS (e.g: cat /etc/os-release or similar): any
The text was updated successfully, but these errors were encountered: