false positive on packages containing the name "kubernetes" with a version of 1.5.4

[michaellayfer]

What happened: I scan an image (atlassian/bitbucket:latest) with the following package: hazelcast-kubernetes version 1.5.4. getting a mismatched cves of kubernetes api server version 1.5.4.
the results I am getting are:
hazelcast-kubernetes 1.5.4 CVE-2015-7561 Low
hazelcast-kubernetes 1.5.4 CVE-2016-1905 High
hazelcast-kubernetes 1.5.4 CVE-2016-1906 Critical
hazelcast-kubernetes 1.5.4 CVE-2016-7075 High
hazelcast-kubernetes 1.5.4 CVE-2017-1000056 Critical
hazelcast-kubernetes 1.5.4 CVE-2017-1002101 Critical
hazelcast-kubernetes 1.5.4 CVE-2017-1002102 Medium
hazelcast-kubernetes 1.5.4 CVE-2018-1002100 Medium
hazelcast-kubernetes 1.5.4 CVE-2018-1002105 Critical
hazelcast-kubernetes 1.5.4 CVE-2019-1002100 Medium
hazelcast-kubernetes 1.5.4 CVE-2019-11246 Medium
hazelcast-kubernetes 1.5.4 CVE-2019-11248 High
hazelcast-kubernetes 1.5.4 CVE-2019-11249 Medium
hazelcast-kubernetes 1.5.4 CVE-2019-11250 Medium
hazelcast-kubernetes 1.5.4 CVE-2019-11252 Medium
hazelcast-kubernetes 1.5.4 CVE-2019-11253 High
hazelcast-kubernetes 1.5.4 CVE-2019-11254 Medium
hazelcast-kubernetes 1.5.4 CVE-2019-9946 High
hazelcast-kubernetes 1.5.4 CVE-2020-8552 Medium
hazelcast-kubernetes 1.5.4 CVE-2020-8554 Medium
hazelcast-kubernetes 1.5.4 CVE-2020-8555 Medium
hazelcast-kubernetes 1.5.4 CVE-2020-8557 Medium
hazelcast-kubernetes 1.5.4 CVE-2020-8558 High
hazelcast-kubernetes 1.5.4 CVE-2020-8563 Medium
hazelcast-kubernetes 1.5.4 CVE-2021-25735 Medium
hazelcast-kubernetes 1.5.4 CVE-2021-25740 Low
hazelcast-kubernetes 1.5.4 CVE-2021-25741 High

What you expected to happen: the right package should be scanned.

How to reproduce it (as minimally and precisely as possible): grype atlassian/bitbucket

Anything else we need to know?: my guess is that there is a match on the string "kubernetes" in the package name which is being evaluated for vulnerabilities instead of using the full package name

Environment:

• Output of grype version:

• Application: grype
  Version: 0.23.0
  Syft Version: v0.24.1
  BuildDate: 2021-10-11T12:51:42Z
  GitCommit: 2dd4131
  GitTreeState: clean
  Platform: linux/amd64
  GoVersion: go1.16.8
  Compiler: gc
  Supported DB Schema: 3

• OS (e.g: cat /etc/os-release or similar): 20.04.3 LTS (Focal Fossa)

[luhring]

Good find... I see that Syft is generating a few CPEs that "refer to" Kubernetes directly, via its current generation method:

"cpes": [
  "cpe:2.3:a:hazelcast-kubernetes:hazelcast-kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast-kubernetes:hazelcast_kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast_kubernetes:hazelcast-kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast_kubernetes:hazelcast_kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast-kubernetes:kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast_kubernetes:kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:kubernetes:hazelcast-kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:kubernetes:hazelcast_kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast:hazelcast-kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast:hazelcast_kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:kubernetes:kubernetes:1.5.4:*:*:*:*:*:*:*",
  "cpe:2.3:a:hazelcast:kubernetes:1.5.4:*:*:*:*:*:*:*"
],

🤔 @wagoodman Do you think it'd be easy to solve for this given the current state of our CPE generation logic?

[tgerla]

This class of problems should be fixed now that we have adjusted our vulnerability matching method as described here: https://anchore.com/blog/say-goodbye-to-false-positives/ -- I'll go ahead and close this issue but please feel free to re-open if you find more false positives, or if this one is still affecting your images. Thanks!