Grype is catching a false positive on spring-boot-starter-web because it cannot detect inherited version from parent #1012
Comments
|
Just to add some more context here: Syft is currently a static analysis tool and does not currently look up anything from the internet, so scanning a |
|
Any news on that? Grype not beeing able to detect inherited versions from a parent seems to be a bigger issue. |
|
Hi @Restage - no particular update here, but anchore/syft#1562 is a discussion of how to enable Syft to capture more information about this type of dependency relationship so that it can be exposed to Grype. |
|
i'm using lastest spring-boot-starter-parent 3.2.0 with graalvm21 when scanning the image i have the following; i have no forced reference to a version of spring-boot-starter-web. Thanks in advance |
|
Thanks @cezapata for the excellent repro steps and example repository. I want to try to state the issue as simply as possible so we can try to start working on it. To reproduce: git clone git@github.com:cezapata/appconfiguration-sample.git
grype -q appconfiguration-sample | grep GHSA-36p3-wjmg-h94xGrype still finds the vulnerability. Looking at the syft output: Syft doesn't know the version of However, the |
|
Note to developers: this would need to be implemented in Syft, a couple related issues are: |
|
Hi, Syft has implemented a fairly large enhancement to the Maven resolution, which allows it to use the network to resolve Maven artifacts much more completely. There currently is no way to enable this in Grype, unfortunately, but you are able to use Syft, and send the output to grype to get more accurate results: |
What happened:
After using the Spring Initializer tool to create a new Spring Boot App (version 2.7.5) with the Spring Web dependency, building, and running Grype to scan for vulnerabilities, we get a vulnerability detected on the following package:
spring-boot-starter-web: GHSA-36p3-wjmg-h94x
What you expected to happen:
When installing the dependencies, the spring-boot-starter-web package installs a version that is consistent with its parent artifact (spring-boot-starter-parent) which maps to version 2.7.5
I was expecting grype to detect the version, and note that the vulnerability it indicates does not apply since it was fixed as a prior version (2.5.12). However, the engine does not pick it up, and displays an empty version in use for the package:
How to reproduce it (as minimally and precisely as possible):
I have set up a repo with a dev container configured to run the repro with instructions here:
https://github.com/cezapata/appconfiguration-sample
You can run the codespace, install the maven dependencies on the app, and then run grype. Among the vulnerabilities detected, we will display GHSA-36p3-wjmg-h94x.
Anything else we need to know?:
Hard-coding the version on the dependencies fixes the problem, but we would like all the dependencies to be controlled by the parent.
Environment:
Output of
grype version:Application: grype
Version: 0.53.0
Syft Version: v0.62.0
BuildDate: 2022-11-18T20:36:40Z
GitCommit: a4a62aa
GitDescription: v0.53.0
Platform: linux/amd64
GoVersion: go1.18.7
Compiler: gc
Supported DB Schema: 5
OS (e.g:
cat /etc/os-releaseor similar):PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
The text was updated successfully, but these errors were encountered: