False Positives Reported for Apache Activemq-Artemis-Native

[jeremybryan]

What happened:
Apache Activemq Artemis Native (https://github.com/apache/activemq-artemis-native) is being mapped to activemq even though it's a separate project and is managed independently.

Examples:
Latest activemq-artemis-native=1.0.2, but appears it is be being treated like activemq=1.0.2

org.apache.activemq:activemq-artemis-native

What you expected to happen:
The ActiveMQ vulns to not be reported for the artemis-native component.

How to reproduce it (as minimally and precisely as possible):

This was used to create a minimal image containing the artemis-native jar file.
echo "FROM maven:3.8.2-ibmjava-alpine\nRUN mvn dependency:get -Dartifact=org.apache.activemq:activemq-artemis-native:1.0.2" | docker build -t java-false-positives:activemq-artemis-native - && grype java-false-positives:activemq-artemis-native | egrep "activemq-artemis-native"

The below shows a segement of the debug out from the grype process:
[0012] DEBUG found 15 vulnerabilities for pkg=Pkg(type=java-archive, name=activemq-artemis-native, version=1.0.2, upstreams=0)
[0012] DEBUG ├── vuln="CVE-2010-0684" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2010-1244" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2011-4905" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-5784" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-6092" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2012-6551" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-1879" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-1880" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2013-3060" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2014-3576" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2015-7559" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2016-3088" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2018-11775" matchers=[java-matcher]
[0012] DEBUG ├── vuln="CVE-2020-13920" matchers=[java-matcher]
[0012] DEBUG └── vuln="CVE-2020-13947" matchers=[java-matcher]

To look at one specifically, CVE-2016-3088 is against Apache Activemq (cpe:2.3:a:apache:activemq::::::::).

Anything else we need to know?:
If we look at the output from Syft we can see the follow in the output.
Syft
{
"id": "63c096a170a02afe",
"name": "activemq-artemis-native",
"version": "1.0.2",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/opt/activemq-artemis/lib/activemq-artemis-native-1.0.2.jar",
"layerID": "sha256:4955648260bbf71e0419f024c5ca4b36c6295276a08a55b7f97f9bc678df3e39"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:apache-software-foundation:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache-software-foundation:activemq:1.0.2:::::::",
"cpe:2.3:a:apache_software_foundation:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis-native:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis_native:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache:activemq-artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache:activemq_artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis_native:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq-artemis:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq_artemis:activemq:1.0.2:::::::",
"cpe:2.3:a:activemq:artemis-native:1.0.2:::::::",
"cpe:2.3:a:activemq:artemis_native:1.0.2:::::::",
"cpe:2.3:a:artemis-native:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis_native:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis:artemis-native:1.0.2:::::::",
"cpe:2.3:a:artemis:artemis_native:1.0.2:::::::",
"cpe:2.3:a:apache:artemis-native:1.0.2:::::::",
"cpe:2.3:a:apache:artemis_native:1.0.2:::::::",
"cpe:2.3:a:activemq:activemq:1.0.2:::::::",
"cpe:2.3:a:artemis:activemq:1.0.2:::::::",
"cpe:2.3:a:apache:activemq:1.0.2:::::::*"
],

From the syft output it can be seen a CPE of "cpe:2.3:a:apache:activemq:1.0.2:*:*:*:*:*:*:*" has been generated for this package.
The pom.xml file for this package is <groupId>org.apache.activemq</groupId> which is the shared by a number of other
activemq components.

Not entirely sure if this should be a grype or syft issue given the above.

This seems similar to #431 and #450

Environment:

Grype Version Information:
Application: grype
Version: 0.38.0
Syft Version: v0.46.2
BuildDate: 2022-05-23T14:41:50Z
GitCommit: 06d28da
GitDescription: v0.38.0
Platform: darwin/amd64
GoVersion: go1.18.2
Compiler: gc
Supported DB Schema: 3

Syft Version Information:
Application: syft
Version: 0.46.2
JsonSchemaVersion: 3.2.3
BuildDate: 2022-05-23T14:02:40Z
GitCommit: d41afe05eb8fecd2906f5db9661910dbc99fc3dd
GitDescription: v0.46.2
Platform: darwin/amd64
GoVersion: go1.18.2
Compiler: gc

OS
ProductName: macOS
ProductVersion: 12.2
BuildVersion: 21D49

[willmurphyscode]

Hi @jeremybryan, thanks for reporting this!

I'm still able to reproduce this today:

Dockerfile.grype760:

FROM --platform=linux/amd64 maven:3.8.2-ibmjava-alpine
RUN mvn dependency:get -Dartifact=org.apache.activemq:activemq-artemis-native:1.0.2

build, save, and scan image:

docker build -t grype760 -f Dockerfile.grype760 .
docker save grype760 -o docker-archives/grype760
grype docker-archive:./docker-archives/grype760 | grep CVE-2016-3088

Prints:

activemq-artemis-native         1.0.2                               java-archive  CVE-2016-3088        Critical 

I believe you're right that the CPE generated for this package,cpe:2.3:a:apache:activemq:1.0.2:*:*:*:*:*:*:*, is too broad. I'm applying labels indicating that this match is due to CPE being too broad in the Java ecosystem so that we can try to solve this class of issue.

[tgerla]

Hello, after upgrading to the latest Grype I can confirm that this false positive is no longer reported. Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details.