False positive for ruby gem webrick

[sparrowt]

What happened:
Grype is reporting a (very old) vulnerability in the webrick ruby gem despite running a version with the fix:

> docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /var/tmp/grype_cache:/var/tmp/ -e GRYPE_DB_CACHE_DIR=/var/tmp/ anchore/grype:v0.64.2 fluent/fluentd:v1.16.0-1.0
 ✔ Vulnerability DB                [no update available]
 ✔ Pulled image
 ✔ Loaded image                                                                                                                                                              fluent/fluentd:v1.16.0-1.0
 ✔ Parsed image                                                                                                                 sha256:caf29af93836d148c852bc4c7db0aa9dcf7b01269bdeca1e0bee721e8ccea31a
 ✔ Cataloged packages              [129 packages]
 ✔ Scanned for vulnerabilities     [46 vulnerabilities]
   ├── 2 critical, 21 high, 19 medium, 0 low, 0 negligible (4 unknown)
   └── 18 fixed
NAME                   INSTALLED         FIXED-IN          TYPE  VULNERABILITY        SEVERITY
...
webrick                1.7.0                               gem   CVE-2008-1145        Medium
webrick                1.7.0             2.2.8             gem   GHSA-369m-2gv6-mw28  High

GHSA-369m-2gv6-mw28 says the patched version is 1.4.0 so 1.7.0 should be fine.

However grype says it is 'Fixed in' 2.2.8 which doesn't make sense because there is no version 2.2.8 of the webrick gem https://github.com/ruby/webrick/releases / https://rubygems.org/gems/webrick

This seems like an FP, possibly because the CPEs on https://nvd.nist.gov/vuln/detail/CVE-2017-10784 seem to be referring to ruby versions (where 2.2.8 would be the first patched one AFAICS) which grype has then compared against the version of webrick itself.

What you expected to happen:
No vulnerability to be reported for Ruby Gem webrick at version 1.7.0

How to reproduce it (as minimally and precisely as possible):
As above:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /var/tmp/grype_cache:/var/tmp/ -e GRYPE_DB_CACHE_DIR=/var/tmp/ anchore/grype:v0.64.2 fluent/fluentd:v1.16.0-1.0

Anything else we need to know?:

Environment:

• Output of grype version: 0.64.2
• OS (e.g: cat /etc/os-release or similar): Docker Desktop for Windows

[shpml]

False positive upstream.

github/advisory-database#2526
github/advisory-database#2533

[sparrowt]

Ah fab, thank you 👍 out of interest how long does it normally take (now that upstream PR was merged) for it to make its way into the grype vuln db?

[shpml]

No idea, I'm using a different vulnerability scanner that uses the same DB and it seems to be fixed there.

[westonsteimel]

I did also contact NVD regarding https://nvd.nist.gov/vuln/detail/CVE-2008-1145 to try and get the CPE updated to something more like on https://nvd.nist.gov/vuln/detail/CVE-2009-4492, but that may take some time for them to process

[westonsteimel]

grype databases typically get updated and published once per day by the following workflows

• https://github.com/anchore/grype-db/actions/workflows/daily-data-sync.yaml
• https://github.com/anchore/grype-db/actions/workflows/daily-db-publisher.yaml

We do currently have an issue with the automated publishing pipeline that we're working on, but we manually published an update yesterday so the GHSA record update should already be available

[sparrowt]

Thanks GHSA-369m-2gv6-mw28 is no longer incorrectly flagged 👍

I guess we'll leave this open for https://nvd.nist.gov/vuln/detail/CVE-2008-1145 while that's still wrongly flagged

NAME                   INSTALLED         FIXED-IN          TYPE  VULNERABILITY        SEVERITY
...
ruby-webrick           1.7.0-r1                            apk   CVE-2008-1145        Medium
...
webrick                1.7.0                               gem   CVE-2008-1145        Medium

[spiffcs]

We can tell from the description that this is a FP, but the cpe we're generating compared with what is in NVD is correct

NVD: cpe:2.3:a:ruby-lang:webrick:-:*:*:*:*:ruby:*:*
Grype: cpe:2.3:a:ruby-lang:webrick:1.7.0:*:*:*:*:*:*:*

In the above case - is used in the version selector and weston has contacted NVD about getting better CPE for this.

One more final thought - we are moving away from CPE matching in the near future and this issue should be solved once we move to the PURL/GHSA model.