Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive CVE-2017-18589 rust package matching cookie npm package #931

Closed
fouadh opened this issue Sep 20, 2022 · 1 comment
Closed

False positive CVE-2017-18589 rust package matching cookie npm package #931

fouadh opened this issue Sep 20, 2022 · 1 comment
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive

Comments

@fouadh
Copy link

fouadh commented Sep 20, 2022

What happened:
We have cookie in our dependencies. When scanning our repository we get a false positive on cookie Rust package

NAME    INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
cookie  0.5.0                npm   CVE-2017-18589  High

What you expected to happen:
I expect npm cookie package not to match CVEs against "cookie" Rust package.

How to reproduce it (as minimally and precisely as possible):

mkdir sandbox
cd sandbox
npm init
npm install cookie
grype dir:.

Anything else we need to know?:

Environment:

  • Output of grype version:
Application:          grype
Version:              0.50.1
Syft Version:         v0.56.0
BuildDate:            2022-09-13T18:32:52Z
GitCommit:            403a535321c20565676dc633344e2bf8881cee29
GitDescription:       v0.50.1
Platform:             darwin/amd64
GoVersion:            go1.18.5
Compiler:             gc
Supported DB Schema:  4
  • OS (e.g: cat /etc/os-release or similar):
System Software Overview:
      System Version: macOS 12.4 (21F79)
      Kernel Version: Darwin 21.5.0
      Boot Volume: Macintosh HD
@fouadh fouadh added the bug Something isn't working label Sep 20, 2022
@spiffcs spiffcs added this to OSS Sep 20, 2022
@jeff-mccoy jeff-mccoy mentioned this issue Sep 22, 2022
Merged
@spiffcs spiffcs moved this to False Positives in OSS Sep 29, 2022
@wagoodman wagoodman removed the status in OSS Apr 6, 2023
@tgerla tgerla added the changelog-ignore Don't include this issue in the release changelog label Nov 17, 2023
@tgerla
Copy link
Contributor

tgerla commented Nov 17, 2023

I can confirm that this particular false positive is fixed now that we have adjusted our vulnerability matching method as described here: https://anchore.com/blog/say-goodbye-to-false-positives/ -- I'll go ahead and close this issue but please feel free to re-open if you find more false positives, or if this one is still affecting your images. Thanks!

@tgerla tgerla closed this as completed Nov 17, 2023
@github-project-automation github-project-automation bot moved this to Done in OSS Nov 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgerla @fouadh @spiffcs