Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fails to find open kernel CVEs via CPE #1560

Open
JustAnotherSwCoderAndTester opened this issue Oct 13, 2023 · 1 comment
Open

Fails to find open kernel CVEs via CPE #1560

JustAnotherSwCoderAndTester opened this issue Oct 13, 2023 · 1 comment
Labels
bug Something isn't working false-negative

Comments

@JustAnotherSwCoderAndTester
Copy link

What happened:
CVE scanning for the Linux kernel with an SBOM file and a proper CPE does not list any CVEs.

CPE: cpe:2.3:o:linux:linux_kernel:5.4.236:*:*:*:*:*:*:*

I checked the downloaded vulnerability DB of grype with sqlitebrowser and found the CVEs listed on the web (tried around 10 items or so). However, the DB entries do not have a CPE.

What you expected to happen:
According to NVD this is a valid CPE in the SBOM file and there are many known CVEs:

How to reproduce it (as minimally and precisely as possible):

$ cat test.json
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "metadata": {
    "component": {
      "type": "operating-system",
      "bom-ref": "[email protected]",
      "name": "TestSbom",
      "version": "1.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:generic/[email protected]",
      "name": "linux_kernel",
      "version": "5.4.236",
      "scope": "required",
      "purl": "pkg:generic/[email protected]",
      "cpe": "cpe:2.3:o:linux:linux_kernel:5.4.236:*:*:*:*:*:*:*"
    }
  ]
}
$ grype "sbom:test.json"
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored 
No vulnerabilities found

Does not report any CVEs. If I remove the purl and cpe property within the JSON and add option --add-cpes-if-none

$ grype "sbom:test.json" --add-cpes-if-none
NAME          INSTALLED  FIXED-IN  TYPE            VULNERABILITY  SEVERITY 
linux_kernel  5.4.236              UnknownPackage  CVE-2022-1462  Medium

Still only one CVE is found.

Environment:

  • Output of grype version:
    Application: grype
    Version: 0.71.0
    BuildDate: 2023-10-12T13:27:46Z
    GitCommit: 3d582fd
    GitDescription: v0.71.0
    Platform: linux/amd64
    GoVersion: go1.21.1
    Compiler: gc
    Syft Version: v0.93.0
    Supported DB Schema: 5
  • OS (e.g: cat /etc/os-release or similar):
    Ubuntu 22.04.3 LTS
@JustAnotherSwCoderAndTester JustAnotherSwCoderAndTester added the bug Something isn't working label Oct 13, 2023
@shane-runsafe
Copy link

Seeing the same thing with a similar SBOM, just using 5.8.18 of the linux kernel.

I looked around and don't see a way to upstream changes to the vulnerability database. If there's no path to that, is there any plan to attach CPEs to all the linux kernel vulnerabilities?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-negative
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgerla @shane-runsafe @JustAnotherSwCoderAndTester