False positive: Python 'docker' package #576

Mzyxptlk · 2022-01-05T09:10:46Z

What happened:

Running a Grype check on a Python project that lists the latest version of the docker Python package as a requirement results in a number of false positives. The listed vulnerabilities relate to Docker itself, not to the docker Python package, which is only a library for communicating with the Docker API.

What you expected to happen:

:)

How to reproduce it (as minimally and precisely as possible):

$ echo 'docker==5.0.3' > requirements.txt
$ grype -o "json" -f "high" -v . > grype-scan.txt
[0000]  INFO New version of grype is available: 0.28.0
[0000]  INFO indexing filesystem path="." from-lib=syft
[0000]  INFO could not identify distro from-lib=syft
[0000]  INFO cataloging directory from-lib=syft
[0000]  INFO Downloading new vulnerability DB
[0014]  INFO Updated vulnerability DB to version=3 built="2022-01-05 08:14:22 +0000 UTC"
discovered vulnerabilities at or above the severity threshold

Vulnerabilities reported: CVE-2018-10892, CVE-2019-13139, CVE-2019-13509, CVE-2019-16884, CVE-2019-5736, CVE-2020-27534, CVE-2021-21284, CVE-2021-21285. See grype-scan.txt for the full output.

Anything else we need to know?:

I suspect this is the same issue as #491, #450, and #431.

Environment:

Output of grype version:

Application:          grype
Version:              0.17.0
BuildDate:            2021-08-25T21:39:11Z
GitCommit:            c6529822fabd537af8a1439fc6d1179a3632bf33
GitTreeState:         clean
Platform:             linux/amd64
GoVersion:            go1.16.7
Compiler:             gc
Supported DB Schema:  3

OS (e.g: cat /etc/os-release or similar):
I run Grype in a Docker container:

$ docker run --rm <the-container> cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.14.2
PRETTY_NAME="Alpine Linux v3.14"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

The text was updated successfully, but these errors were encountered:

isuftin · 2022-08-24T17:24:45Z

Seeing this today.

Application:          grype
Version:              0.47.0
Syft Version:         v0.54.0
BuildDate:            2022-08-17T20:00:45Z
GitCommit:            08b4ef493b36a65f6149c9092d083d5d57540cdc
GitDescription:       v0.47.0
Platform:             darwin/amd64
GoVersion:            go1.18.5
Compiler:             gc
Supported DB Schema:  4

Installed is docker==6.0.0 via pip on Python3.9 in an Alpine 3.16 image.

NAME    INSTALLED  FIXED-IN           TYPE    VULNERABILITY   SEVERITY 
docker  6.0.0      20.10.3, 19.03.15  python  CVE-2021-21285  Medium    
docker  6.0.0      18.09.4            python  CVE-2019-13139  High      
docker  6.0.0      18.09.8, 18.09.8   python  CVE-2019-13509  High      
docker  6.0.0      18.09.2            python  CVE-2019-[57](https://code.chs.usgs.gov/ctek/docker/ansible/-/jobs/1841958#L57)36   High      
docker  6.0.0      19.03.9            python  CVE-2020-27534  Medium    
docker  6.0.0      20.10.3, 19.03.15  python  CVE-2021-21284  Medium

willmurphyscode · 2023-06-06T18:31:23Z

Hi @Mzyxptlk, thanks for reporting this.

Here is a quick repro snippet:

mkdir pydocker && cd pydocker && echo 'docker==5.0.3' > requirements.txt && grype dir:.

which produces output similar to that from earlier posts on this issue.

Gathering a little more data about the match on CVE-2018-10892 to investigate:

CVE-2018-10892 from https://nvd.nist.gov/vuln/detail/CVE-2018-10892
matched artifact is:
docker - pkg:pypi/[email protected]
match type is cpe-match
CPEs

cpe:2.3:a:python-docker:python-docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python-docker:python_docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python_docker:python-docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python_docker:python_docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:docker:python-docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:docker:python_docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python-docker:docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python-docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python:python_docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python_docker:docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:docker:docker:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:python:docker:5.0.3:*:*:*:*:*:*:*

URLs:

It looks like grype is generating cpe:2.3:a:docker:docker:5.0.3:*:*:*:*:*:*:* as a CPE for the docker PyPI package, which matches against https://nvd.nist.gov/vuln/detail/CVE-2018-10892, and presumably the others. I'm applying a label for this type of issue, to investigate them as a class.

tgerla · 2023-11-17T14:43:06Z

Hello, after upgrading to the latest Grype I can confirm that these false positives are no longer reported. Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details.

Mzyxptlk added the bug Something isn't working label Jan 5, 2022

luhring added false-positive ecosystem:python relating to the python ecosystem labels Feb 7, 2022

spiffcs added this to OSS Jun 1, 2022

spiffcs moved this to False Positives in OSS Aug 25, 2022

wagoodman removed the status in OSS Apr 6, 2023

willmurphyscode added the false-positive:cpe This issue is a report of a false positive cause by CPE matching label Jun 6, 2023

tgerla added the changelog-ignore Don't include this issue in the release changelog label Nov 17, 2023

tgerla closed this as completed Nov 17, 2023

github-project-automation bot moved this to Done in OSS Nov 17, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False positive: Python 'docker' package #576

False positive: Python 'docker' package #576

Mzyxptlk commented Jan 5, 2022

isuftin commented Aug 24, 2022

willmurphyscode commented Jun 6, 2023

tgerla commented Nov 17, 2023

False positive: Python 'docker' package #576

False positive: Python 'docker' package #576

Comments

Mzyxptlk commented Jan 5, 2022

isuftin commented Aug 24, 2022

willmurphyscode commented Jun 6, 2023

tgerla commented Nov 17, 2023