Skip to content

Missing alpine patch version yields inaccurate results #2222

New issue
New issue
Closed
#2226
Closed
Missing alpine patch version yields inaccurate results#2222
#2226
Assignees
wagoodman
Labels
bugSomething isn't working
@wagoodman

Description

@wagoodman
wagoodman
opened on Oct 29, 2024

What happened:
I'm seeing that when providing your own package details and alpine distro version details independent of an image, the distro patch version being left off may result in incorrect results:

❯ echo "pkg:apk/openssh@9.6_p1-r1" |  grype purl:/dev/stdin --distro 'alpine:3.19.4' -q
No vulnerabilities found

❯ echo "pkg:apk/openssh@9.6_p1-r1" |  grype purl:/dev/stdin --distro 'alpine:3.19' -q
NAME     INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY
openssh  9.6_p1-r1  9.8_p1-r0  apk   CVE-2024-6387  High

Please take note the vuln info for this record:

❯ sqlite3 --header --column /Users/wagoodman/Library/Caches/grype/db/5/vulnerability.db 'select id,package_name,namespace,version_format,version_constraint,fixed_in_versions from vulnerability where namespace like "%alpine%" and id == "CVE-2024-6387"'

id             package_name  namespace                  version_format  version_constraint  fixed_in_versions
-------------  ------------  -------------------------  --------------  ------------------  -----------------
CVE-2024-6387  openssh       alpine:distro:alpine:3.17  apk             < 9.1_p1-r6         ["9.1_p1-r6"]
CVE-2024-6387  openssh       alpine:distro:alpine:3.18  apk             < 9.3_p2-r2         ["9.3_p2-r2"]
CVE-2024-6387  openssh       alpine:distro:alpine:3.19  apk             < 9.6_p1-r1         ["9.6_p1-r1"]
CVE-2024-6387  openssh       alpine:distro:alpine:3.20  apk             < 9.7_p1-r4         ["9.7_p1-r4"]
CVE-2024-6387  openssh       alpine:distro:alpine:edge  apk             < 9.8_p1-r0         ["9.8_p1-r0"]

The results with --distro 'alpine:3.19.4' is correct/expected: this is a valid secdb entry that should prune the NVD match from results entirely.

What appears to be happening is that when the patch version is not specified this is using the alpine:distro:alpine:edge namespace to search against instead of alpine:distro:alpine:3.19 which has a different package fix version entirely (thus won't be pruned).

What you expected to happen:
Using grype with this purl with both --distro 'alpine:3.19.4' and --distro 'alpine:3.19' should have the same result: CVE-2024-6387 should be absent from the results.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions