Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: redis vuln associated to somewhat unrelated python dependency #491

Closed
Karreg opened this issue Nov 4, 2021 · 3 comments · Fixed by anchore/syft#1070
Closed

False positive: redis vuln associated to somewhat unrelated python dependency #491

Karreg opened this issue Nov 4, 2021 · 3 comments · Fixed by anchore/syft#1070
Labels
bug Something isn't working ecosystem:python relating to the python ecosystem false-positive

Comments

@Karreg
Copy link

Karreg commented Nov 4, 2021

Hello,

I have found this vulnerability in my python dependencies with a fs scan (see below issue description).

The found issue is for the redis package, but the scanned artifact is the redis python dependency, that is not redis itself, but the python library used to communicate with redis.

Vulnerability report:

{
  "matches": [
    {
      "vulnerability": {
        "id": "CVE-2021-32626",
        "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-32626",
        "namespace": "nvd",
        "severity": "High",
        "urls": [
          "https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591",
          "https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c",
          "https://lists.fedoraproject.org/archives/list/[email protected]/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/",
          "https://lists.fedoraproject.org/archives/list/[email protected]/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/",
          "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E",
          "https://lists.fedoraproject.org/archives/list/[email protected]/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/"
        ],
        "description": "Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.",
        "cvss": [
          {
            "version": "2.0",
            "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "metrics": {
              "baseScore": 6.5,
              "exploitabilityScore": 8,
              "impactScore": 6.4
            },
            "vendorMetadata": {}
          },
          {
            "version": "3.1",
            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "metrics": {
              "baseScore": 8.8,
              "exploitabilityScore": 2.8,
              "impactScore": 5.9
            },
            "vendorMetadata": {}
          }
        ],
        "fix": {
          "versions": [],
          "state": "unknown"
        },
        "advisories": []
      },
      "relatedVulnerabilities": [],
      "matchDetails": [
        {
          "matcher": "python-matcher",
          "searchedBy": {
            "namespace": "nvd",
            "cpes": ["cpe:2.3:a:redis:redis:3.5.3:*:*:*:*:*:*:*"]
          },
          "found": {
            "versionConstraint": ">= 2.6, < 5.0.14 || >= 6.0.0, < 6.0.16 || >= 6.2.0, < 6.2.6 (unknown)",
            "cpes": ["cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*"]
          }
        }
      ],
      "artifact": {
        "name": "redis",
        "version": "3.5.3",
        "type": "python",
        "locations": [
          {
            "path": "requirements.txt"
          }
        ],
        "language": "python",
        "licenses": [],
        "cpes": [
          "cpe:2.3:a:python-redis:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python-redis:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python_redis:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python_redis:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python-redis:redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python_redis:redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:redis:python-redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:redis:python_redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:python:redis:3.5.3:*:*:*:*:*:*:*",
          "cpe:2.3:a:redis:redis:3.5.3:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:pypi/[email protected]",
        "metadata": null
      }
    }
  ],
  "source": {
    "type": "directory",
    "target": "./"
  },
  "distro": {
    "name": "",
    "version": "",
    "idLike": ""
  },
  "descriptor": {
    "name": "grype",
    "version": "0.24.0",
    "configuration": {
      "configPath": "",
      "output": "json",
      "file": "",
      "output-template-file": "",
      "quiet": false,
      "check-for-app-update": true,
      "only-fixed": false,
      "scope": "Squashed",
      "log": {
        "structured": false,
        "level": "",
        "file": ""
      },
      "db": {
        "cache-dir": "/root/.cache/grype/db",
        "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json",
        "auto-update": true,
        "validate-by-hash-on-start": false
      },
      "dev": {
        "profile-cpu": false,
        "profile-mem": false
      },
      "fail-on-severity": "high",
      "registry": {
        "insecure-skip-tls-verify": false,
        "insecure-use-http": false,
        "auth": []
      },
      "ignore": null
    },
    "db": {
      "built": "2021-11-04T08:13:46Z",
      "schemaVersion": 3,
      "location": "/root/.cache/grype/db/3",
      "checksum": "sha256:c95cbce1b6ddbc7ae12da8dbb1437dd28e1fa0ab6ba0ff3875701afb9d1706f3",
      "error": null
    }
  }
}

By the way, grype is quickly becoming better, good job :)
@luhring
Copy link
Contributor

luhring commented Nov 7, 2021

By the way, grype is quickly becoming better, good job :)

Thanks @Karreg! 😍

I think this is another case of how we generate CPEs with subselections of words in a name, where important context is accidently truncated off.

This is an excerpt of the JSON you pasted above:

"cpes": [
  "cpe:2.3:a:python-redis:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python-redis:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python_redis:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python_redis:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python-redis:redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python_redis:redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:redis:python-redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:redis:python_redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:python:redis:3.5.3:*:*:*:*:*:*:*",
  "cpe:2.3:a:redis:redis:3.5.3:*:*:*:*:*:*:*"
],

So sometimes we include the full "python redis", but in other cases, we've shortened the values to just "redis". I believe this is similar in cause to #450.

@luhring luhring added bug Something isn't working false-positive labels Nov 7, 2021
@wagoodman wagoodman added the ecosystem:python relating to the python ecosystem label Dec 21, 2021
@Mzyxptlk Mzyxptlk mentioned this issue Jan 5, 2022
Closed
@spiffcs spiffcs added this to OSS Jun 1, 2022
@spiffcs spiffcs moved this to Triage (Comments or Progress Made) in OSS Jun 1, 2022
@Karreg
Copy link
Author

Karreg commented Jun 13, 2022
edited
Loading

Hello there,

Is there any update on this issue? I'm still having these false positives, still for the redis python library:

NAME   INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY 
redis  3.5.3                python  CVE-2022-24735  High      
redis  3.5.3                python  CVE-2022-24736  Medium    
redis  3.5.3                python  CVE-2021-32672  Medium    
redis  3.5.3                python  CVE-2022-0543   Critical

Thanks!

@cpendery cpendery mentioned this issue Jun 28, 2022
Merged
@spiffcs
Copy link
Contributor

spiffcs commented Jul 21, 2022

We have a linked issue for this here and are tracking different internal ways we can start providing corrections for these FP. Grype recently added a new table into the db called vulnerability_match_exclusions which should be a good starting point to correct these moving forward.
#800

@spiffcs spiffcs moved this from Parking Lot (Comments or Progress) to False Positives in OSS Aug 25, 2022
Repository owner moved this from False Positives to Done in OSS Dec 8, 2022
GijsCalis pushed a commit to GijsCalis/syft that referenced this issue Feb 19, 2024
@cpendery
fix: add manual vendor/product removal to fix false flags (anchore#1070)
f8e685a 
Closes anchore#1066
Closes anchore/grype#800
Closes anchore/grype#491
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working ecosystem:python relating to the python ecosystem false-positive
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add manual vendor/product removal to fix false flags cpendery/syft
4 participants
@wagoodman @luhring @Karreg @spiffcs