Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positives Reported for Apache Activemq-Artemis-Native #760

Closed
jeremybryan opened this issue May 25, 2022 · 2 comments
Closed

False Positives Reported for Apache Activemq-Artemis-Native #760

jeremybryan opened this issue May 25, 2022 · 2 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog ecosystem:java relating to the java ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching false-positive

Comments

@jeremybryan
Copy link

What happened:
Apache Activemq Artemis Native (https://github.com/apache/activemq-artemis-native) is being mapped to activemq even though it's a separate project and is managed independently.

Examples:
Latest activemq-artemis-native=1.0.2, but appears it is be being treated like activemq=1.0.2

org.apache.activemq:activemq-artemis-native

What you expected to happen:
The ActiveMQ vulns to not be reported for the artemis-native component.

How to reproduce it (as minimally and precisely as possible):

This was used to create a minimal image containing the artemis-native jar file.
echo "FROM maven:3.8.2-ibmjava-alpine\nRUN mvn dependency:get -Dartifact=org.apache.activemq:activemq-artemis-native:1.0.2" | docker build -t java-false-positives:activemq-artemis-native - && grype java-false-positives:activemq-artemis-native | egrep "activemq-artemis-native"

The below shows a segement of the debug out from the grype process:
[0012] DEBUG found 15 vulnerabilities for pkg=Pkg(type=java-archive, name=activemq-artemis-native, version=1.0.2, upstreams=0)
[0012] DEBUG ├── vuln="CVE-2010-0684" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2010-1244" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2011-4905" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-5784" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-6092" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-6551" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-1879" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-1880" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-3060" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2014-3576" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2015-7559" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2016-3088" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2018-11775" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2020-13920" matchers=[java-matcher]
[0012] DEBUG └── vuln="CVE-2020-13947" matchers=[java-matcher]

To look at one specifically, CVE-2016-3088 is against Apache Activemq (cpe:2.3:a:apache:activemq::::::::).

Anything else we need to know?:
If we look at the output from Syft we can see the follow in the output.
Syft
{
"id": "63c096a170a02afe",
"name": "activemq-artemis-native",
"version": "1.0.2",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/opt/activemq-artemis/lib/activemq-artemis-native-1.0.2.jar",
"layerID": "sha256:4955648260bbf71e0419f024c5ca4b36c6295276a08a55b7f97f9bc678df3e39"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:apache-software-foundation:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:apache_software_foundation:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq-artemis-native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq_artemis_native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:apache-software-foundation:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:apache_software_foundation:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq-artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq_artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq-artemis-native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq_artemis_native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:artemis-native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:artemis_native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:apache-software-foundation:activemq:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq:1.0.2:
::::::",
"cpe:2.3:a:activemq-artemis-native:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq:activemq-artemis-native:1.0.2:
::::::",
"cpe:2.3:a:activemq:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq:1.0.2:
::::::",
"cpe:2.3:a:activemq-artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq_artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:apache:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache:activemq_artemis_native:1.0.2:
::::::",
"cpe:2.3:a:artemis-native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:artemis_native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq-artemis:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq:1.0.2:
::::::",
"cpe:2.3:a:activemq:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:artemis-native:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq:1.0.2:
::::::",
"cpe:2.3:a:artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:apache:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache:artemis_native:1.0.2:
::::::",
"cpe:2.3:a:activemq:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq:1.0.2:
::::::",
"cpe:2.3:a:apache:activemq:1.0.2:::::::*"
],

From the syft output it can be seen a CPE of "cpe:2.3:a:apache:activemq:1.0.2:*:*:*:*:*:*:*" has been generated for this package.
The pom.xml file for this package is <groupId>org.apache.activemq</groupId> which is the shared by a number of other
activemq components.

Not entirely sure if this should be a grype or syft issue given the above.

This seems similar to #431 and #450

Environment:

Grype Version Information:
Application: grype
Version: 0.38.0
Syft Version: v0.46.2
BuildDate: 2022-05-23T14:41:50Z
GitCommit: 06d28da
GitDescription: v0.38.0
Platform: darwin/amd64
GoVersion: go1.18.2
Compiler: gc
Supported DB Schema: 3

Syft Version Information:
Application: syft
Version: 0.46.2
JsonSchemaVersion: 3.2.3
BuildDate: 2022-05-23T14:02:40Z
GitCommit: d41afe05eb8fecd2906f5db9661910dbc99fc3dd
GitDescription: v0.46.2
Platform: darwin/amd64
GoVersion: go1.18.2
Compiler: gc

OS
ProductName: macOS
ProductVersion: 12.2
BuildVersion: 21D49

@jeremybryan jeremybryan added the bug Something isn't working label May 25, 2022
@spiffcs spiffcs added this to OSS May 25, 2022
@spiffcs spiffcs moved this to False Positives in OSS Aug 25, 2022
@wagoodman wagoodman removed the status in OSS Apr 6, 2023
@willmurphyscode
Copy link
Contributor

Hi @jeremybryan, thanks for reporting this!

I'm still able to reproduce this today:

Dockerfile.grype760:

FROM --platform=linux/amd64 maven:3.8.2-ibmjava-alpine
RUN mvn dependency:get -Dartifact=org.apache.activemq:activemq-artemis-native:1.0.2

build, save, and scan image:

docker build -t grype760 -f Dockerfile.grype760 .
docker save grype760 -o docker-archives/grype760
grype docker-archive:./docker-archives/grype760 | grep CVE-2016-3088

Prints:

activemq-artemis-native         1.0.2                               java-archive  CVE-2016-3088        Critical 

I believe you're right that the CPE generated for this package,cpe:2.3:a:apache:activemq:1.0.2:*:*:*:*:*:*:*, is too broad. I'm applying labels indicating that this match is due to CPE being too broad in the Java ecosystem so that we can try to solve this class of issue.

@willmurphyscode willmurphyscode added ecosystem:java relating to the java ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching labels Jun 6, 2023
@tgerla
Copy link
Contributor

tgerla commented Nov 17, 2023

Hello, after upgrading to the latest Grype I can confirm that this false positive is no longer reported. Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details.

@tgerla tgerla closed this as completed Nov 17, 2023
@github-project-automation github-project-automation bot moved this to Done in OSS Nov 17, 2023
@tgerla tgerla added the changelog-ignore Don't include this issue in the release changelog label Nov 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog ecosystem:java relating to the java ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching false-positive
Projects
Archived in project
Development

No branches or pull requests

3 participants