Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive find on dotnet packages? #1615

Closed
Atharex opened this issue Nov 23, 2023 · 2 comments
Closed

False positive find on dotnet packages? #1615

Atharex opened this issue Nov 23, 2023 · 2 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog

Comments

@Atharex
Copy link

Atharex commented Nov 23, 2023

What happened:
Scanning the latest dotnet SDK image from Microsoft returns a potentially false positive finding

grype --only-fixed mcr.microsoft.com/dotnet/sdk:7.0-bullseye-slim
...
NAME                     INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY 
NuGet.CommandLine.XPlat  6.0.0.278  6.0.2     dotnet  GHSA-3885-8gqc-3wpf  Medium    
NuGet.Commands           6.0.0.278  6.0.3     dotnet  GHSA-g3q9-xf95-8hp5  High      
NuGet.Commands           6.0.0.278  6.0.5     dotnet  GHSA-6qmf-mmc7-6c2p  High      
NuGet.Commands           6.0.0.278  6.0.2     dotnet  GHSA-3885-8gqc-3wpf  Medium    
NuGet.Common             6.0.0.278  6.0.5     dotnet  GHSA-6qmf-mmc7-6c2p  High      
NuGet.PackageManagement  6.0.0.278  6.0.5     dotnet  GHSA-6qmf-mmc7-6c2p  High      
NuGet.Protocol           6.0.0.278  6.0.3     dotnet  GHSA-g3q9-xf95-8hp5  High      
NuGet.Protocol           6.0.0.278  6.0.5     dotnet  GHSA-6qmf-mmc7-6c2p  High

This is a dotnet 7 image and it returns findings of vulnerable dotnet 6 packages.

Running syft with JSON output shows the following example (filepath corresponds to a correct dotnet 7 package)

  {
   "id": "24e901d9647529f1",
   "name": "NuGet.Commands",
   "version": "6.0.0.278",
   "type": "dotnet",
   "foundBy": "dotnet-portable-executable-cataloger",
   "locations": [ 
    {
     "path": "/usr/share/dotnet/sdk/7.0.404/cs/NuGet.Commands.resources.dll",
     "layerID": "sha256:530062b725d8e66967ea74466b7de4260df8697440a6cea1f566105d9896058b",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
   "language": "dotnet",
   "cpes": [
    "cpe:2.3:a:NuGet.Commands:NuGet.Commands:6.0.0.278:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:nuget/[email protected]",
   "metadataType": "dotnet-portable-executable-entry",
   "metadata": {
    "assemblyVersion": "",
    "legalCopyright": "© Microsoft Corporation. Všechna práva vyhrazena.",
    "comments": "Příkazy společné pro klienty NuGet příkazového řádku a grafického uživatelského rozhraní",
    "internalName": "NuGet.Commands.resources.dll",
    "companyName": "Microsoft Corporation",
    "productName": "NuGet",
    "productVersion": "6.0.0-rc.278+078701b97eeef2283c1f4605032b5bcf55a80653.078701b97eeef2283c1f4605032b5bcf55a80653"
   }
  },

What you expected to happen:
Either grype gates the finding on a proper detection of a vulnerable library version, or syft extracts the proper package version

How to reproduce it (as minimally and precisely as possible):
Run the commands of the example above

Anything else we need to know?:

Environment:

  • Output of grype version: grype 0.73.3
  • OS (e.g: cat /etc/os-release or similar): MacOS 14.1.1
@Atharex Atharex added the bug Something isn't working label Nov 23, 2023
@tgerla
Copy link
Contributor

tgerla commented Jan 4, 2024

Hey @Atharex, we recently made some changes to the dotnet code in the latest versions of Syft and Grype. Can you upgrade to Grype 0.73.5 and Syft 0.99 and see if those false positives go away? If you look at the release notes for Syft 0.99 (https://github.com/anchore/syft/releases/tag/v0.99.0), the last line in "Bug Fixes" is what we think fixed the problem. -- let us know if you run into anything else!

@Atharex
Copy link
Author

Atharex commented Jan 5, 2024

Hi @tgerla. This indeed solves my use case, thanks a lot!

@Atharex Atharex closed this as completed Jan 5, 2024
@github-project-automation github-project-automation bot moved this to Done in OSS Jan 5, 2024
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label Jan 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgerla @Atharex @willmurphyscode