No vulnerabilities found for nuget package

[florian-pahl-tm]

What happened:
I scanned a sbom file produced by CycloneDX-dotnet. Grype did not detect any vulnerabilites, as the purls of the components do not match:

// reported by CycloneDX-dotnet
"purl": "pkg:nuget/[email protected]"
// expected by grype
"purl": "pkg:dotnet/[email protected]"

After replacing nuget with dotnet in the purl, scanning worked as expected.

What you expected to happen:
Grype detects one vulnerability for the provided sample:

NAME             INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY 
Newtonsoft.Json  11.0.2     13.0.1    dotnet  GHSA-5crp-9r3c-p9vr  High      

How to reproduce it (as minimally and precisely as possible):
Scan the following sample file:

{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:04e1fb8f-9618-40f2-8305-7dee99c2271e",
    "version": 1,
    "metadata": {
        "tools": [
            {
                "vendor": "CycloneDX",
                "name": "CycloneDX module for .NET",
                "version": "2.7.0.0"
            }
        ]
    },
    "components": [
        {
            "type": "library",
            "bom-ref": "pkg:nuget/[email protected]",
            "publisher": "James Newton-King",
            "name": "Newtonsoft.Json",
            "version": "11.0.2",
            "description": "Json.NET is a popular high-performance JSON framework for .NET",
            "scope": "required",
            "hashes": [
                {
                    "alg": "SHA-512",
                    "content": "CE76466F0B3B138040F63C4D67B16E888448DC2F61AE06AD5504932A121865834EB9DE0CE557C6953622E917583B9B10ADE6C5B85FE0F54115DE13B10CC5C5E9"
                }
            ],
            "licenses": [
                {
                    "license": {
                        "id": "MIT",
                        "url": "https://github.com/JamesNK/Newtonsoft.Json/blob/master/LICENSE.md"
                    }
                }
            ],
            "copyright": "Copyright \u00a9 James Newton-King 2008",
            "purl": "pkg:dotnet/[email protected]",
            "externalReferences": [
                {
                    "url": "https://www.newtonsoft.com/json",
                    "type": "website"
                },
                {
                    "url": "https://github.com/JamesNK/Newtonsoft.Json.git",
                    "type": "vcs"
                }
            ]
        }
    ]
}

Anything else we need to know?:

Environment:

• Output of grype version:
  Application: grype
  Version: 0.55.0
  Syft Version: v0.65.0
  BuildDate: 2023-01-04T21:18:26Z
  GitCommit: c559833
  GitDescription: v0.55.0
  Platform: darwin/amd64
  GoVersion: go1.18.9
  Compiler: gc
  Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar): MacOS

[spiffcs]

@florian-pahl-tm would you be able to provide us with the original source of the SBOM?

It looks like grype is behaving correctly in this case - detecting vulnerabilities for:

"purl": "pkg:dotnet/[email protected]"

By having the original source that the SBOM came from we can examine why nuget is being prefixed on the PURL.

Have you tried generating an SBOM of the same source with syft?
What is the PURL in that case?

Should a vulnerability be detected for "purl": "pkg:nuget/[email protected]"?

[spiffcs]

@westonsteimel also got me up to speed -

It looks like dotnet is not part of the PURL specification and favors nuget

Let me give a look and see the list of changes we need to make to get that change in

[spiffcs]

For reference here is the initial dotnet support and what I'm looking at:
anchore/syft#951

[florian-pahl-tm]

@spiffcs Here is the .csproj related file:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
  </ItemGroup>
</Project>

Syft does not detect any packages (I thing dotnet support is very basic here):

syft .
 ✔ Indexed .
 ✔ Cataloged packages      [0 packages]
No packages discovered

[florian-pahl-tm]

@westonsteimel also got me up to speed -

It looks like dotnet is not part of the PURL specification and favors nuget

Let me give a look and see the list of changes we need to make to get that change in

Just for reference here is the purl spec: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst

[tgerla]

Hi @florian-pahl-tm, we believe this has been fixed in the latest version of Grype. Can you try and let us know if you run into the same results? Thanks much!

[tgerla]

Here is the fix: anchore/syft#1649

[florian-pahl-tm]

Tried with latest grype version 0.59.1. Still experiencing the same bug as outlined in first comment.

[tgerla]

Sorry @florian-pahl-tm, it's possible we misunderstood the problem. We will take another look and get back to you.

[ismaelhamed]

Same here.

How to reproduce it (as minimally and precisely as possible):

Run grype on the following sbom created with Microsoft.SBOMTool-2.2.1:

grype sbom:./manifest.spdx.json --add-cpes-if-none

{
  "files": [],
  "packages": [
    {
      "name": "Akka",
      "SPDXID": "SPDXRef-Package-A0149C44ED190396EA28DFECC2ECDDCD8780051C84808CC04C9C67F295BD39D9",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "1.4.27",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:nuget/[email protected]"
        }
      ],
      "supplier": "NOASSERTION"
    }
  ],
  "externalDocumentRefs": [],
  "relationships": [
    {
      "relationshipType": "DEPENDS_ON",
      "relatedSpdxElement": "SPDXRef-Package-A0149C44ED190396EA28DFECC2ECDDCD8780051C84808CC04C9C67F295BD39D9",
      "spdxElementId": "SPDXRef-RootPackage"
    }
  ],
  "spdxVersion": "SPDX-2.2",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "TestApp 1.0.0",
  "documentNamespace": "https://spdx.org/spdxdocs/sbom-tool-2.2.1-79a7a847-e888-4918-bf01-1102a82d10d0/TestApp/1.0.0/6dVN5RkAWkWYqOqeWiuZ8g",
  "creationInfo": {
    "created": "2023-12-15T11:33:06Z",
    "creators": [
      "Organization: TestCo",
      "Tool: Microsoft.SBOMTool-2.2.1"
    ]
  },
  "documentDescribes": [
    "SPDXRef-RootPackage"
  ]
}

What you expected to happen:
Grype detects one vulnerability for the provided sample:

NAME  INSTALLED  FIXED-IN  TYPE       VULNERABILITY     SEVERITY
Akka  1.4.27     1.4.46    dotnet     GHSA-5crp-9r3c-p9vr  High 

What happened:

NAME  INSTALLED  FIXED-IN  TYPE       VULNERABILITY     SEVERITY
Akka  1.4.27               UnknownPackage CVE-2017-1000034  High

GHSA-5crp-9r3c-p9vr actually applies to the Newtonsoft.Json package, but since it is a transitive dependency for Akka, I expected it to show here.
CVE-2017-1000034 only applies to the Akka package (Maven) in the JVM, not for .NET (Nuget)

[dengel-rnd]

I can confirm the original poster's complaint: Even though the spec calls out "nuget" as the appropriate type (and the CycloneDx tool in NuGet properly formats the purl this way), grype appears to expect "dotnet" instead.

Perhaps there are other SBOM-generating tools that improperly use "dotnet" as the purl type. Could grype be made to accommodate one as an alias for the other?

[dengel-rnd]

I don't quite understand the SCM relationship between Grype and Syft. When will I know that a new Grype version has this fix?

[willmurphyscode]

Sorry, I didn't mean to close this before the Syft bump in Grype was in.

You'll see an item in the release notes, like in https://github.com/anchore/grype/releases/tag/v0.73.5, that mentions that the new Syft is incorporated in Grype.

[dengel-rnd]

Thanks, @willmurphyscode !

[willmurphyscode]

This is fixed in the latest release of grype (v0.74.0), which pulls in a Syft version that includes anchore/syft#2466.