False Positives Reported for Apache Activemq-Artemis-Native #760
Labels
bug
Something isn't working
changelog-ignore
Don't include this issue in the release changelog
ecosystem:java
relating to the java ecosystem
false-positive:cpe
This issue is a report of a false positive cause by CPE matching
false-positive
What happened:
Apache Activemq Artemis Native (https://github.com/apache/activemq-artemis-native) is being mapped to activemq even though it's a separate project and is managed independently.
Examples:
Latest activemq-artemis-native=1.0.2, but appears it is be being treated like activemq=1.0.2
org.apache.activemq:activemq-artemis-native
What you expected to happen:
The ActiveMQ vulns to not be reported for the artemis-native component.
How to reproduce it (as minimally and precisely as possible):
This was used to create a minimal image containing the artemis-native jar file.
echo "FROM maven:3.8.2-ibmjava-alpine\nRUN mvn dependency:get -Dartifact=org.apache.activemq:activemq-artemis-native:1.0.2" | docker build -t java-false-positives:activemq-artemis-native - && grype java-false-positives:activemq-artemis-native | egrep "activemq-artemis-native"
The below shows a segement of the debug out from the grype process:
[0012] DEBUG found 15 vulnerabilities for pkg=Pkg(type=java-archive, name=activemq-artemis-native, version=1.0.2, upstreams=0)
[0012] DEBUG ├── vuln="CVE-2010-0684" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2010-1244" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2011-4905" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-5784" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-6092" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-6551" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-1879" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-1880" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-3060" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2014-3576" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2015-7559" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2016-3088" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2018-11775" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2020-13920" matchers=[java-matcher]
[0012] DEBUG └── vuln="CVE-2020-13947" matchers=[java-matcher]
To look at one specifically, CVE-2016-3088 is against Apache Activemq (cpe:2.3:a:apache:activemq::::::::).
Anything else we need to know?:
If we look at the output from Syft we can see the follow in the output.
Syft
{
"id": "63c096a170a02afe",
"name": "activemq-artemis-native",
"version": "1.0.2",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/opt/activemq-artemis/lib/activemq-artemis-native-1.0.2.jar",
"layerID": "sha256:4955648260bbf71e0419f024c5ca4b36c6295276a08a55b7f97f9bc678df3e39"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:apache-software-foundation:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:activemq:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis:artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq:1.0.2:::::::",
"cpe:2.3:a:apache:activemq:1.0.2:::::::*"
],
From the syft output it can be seen a CPE of
"cpe:2.3:a:apache:activemq:1.0.2:*:*:*:*:*:*:*"
has been generated for this package.The pom.xml file for this package is
<groupId>org.apache.activemq</groupId>
which is the shared by a number of otheractivemq components.
Not entirely sure if this should be a grype or syft issue given the above.
This seems similar to #431 and #450
Environment:
Grype Version Information:
Application: grype
Version: 0.38.0
Syft Version: v0.46.2
BuildDate: 2022-05-23T14:41:50Z
GitCommit: 06d28da
GitDescription: v0.38.0
Platform: darwin/amd64
GoVersion: go1.18.2
Compiler: gc
Supported DB Schema: 3
Syft Version Information:
Application: syft
Version: 0.46.2
JsonSchemaVersion: 3.2.3
BuildDate: 2022-05-23T14:02:40Z
GitCommit: d41afe05eb8fecd2906f5db9661910dbc99fc3dd
GitDescription: v0.46.2
Platform: darwin/amd64
GoVersion: go1.18.2
Compiler: gc
OS
ProductName: macOS
ProductVersion: 12.2
BuildVersion: 21D49
The text was updated successfully, but these errors were encountered: