Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PyPI Kubernetes library generating invalid CPE kubernetes:kubernetes #2005

Closed
cpendery opened this issue Aug 24, 2022 · 3 comments · Fixed by #1921
Closed

PyPI Kubernetes library generating invalid CPE kubernetes:kubernetes #2005

cpendery opened this issue Aug 24, 2022 · 3 comments · Fixed by #1921
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog

Comments

@cpendery
Copy link
Contributor

What happened:
Grype is shadowing the Kubernetes's vulnerabilities over the pypi kubernetes package

What you expected to happen:
No vulnerabilities should be reported since the package isn't vulnerable.

How to reproduce it (as minimally and precisely as possible):

File

{
    "components": [
        {
            "bom-ref": "pkg:pypi/[email protected]",
            "name": "kubernetes",
            "purl": "pkg:pypi/[email protected]",
            "type": "library",
            "version": "24.2.0"
        }
    ],
    "bomFormat": "CycloneDX",
    "serialNumber": "urn:uuid:",
    "version": 1,
    "specVersion": "1.4"
}

Command

grype sbom:sbom.json --add-cpes-if-none

Output

cpendery@macbook dir % grype sbom:sbom.json --add-cpes-if-none                                                              
  ✔ Vulnerability DB        [updated]                                                                                                                         
 ✔ Scanned image           [6 vulnerabilities]
NAME        INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY 
kubernetes  24.2.0               python  CVE-2020-8554   Medium
kubernetes  24.2.0               python  CVE-2021-25740  Low
kubernetes  24.2.0               python  CVE-2015-7561   Low
kubernetes  24.2.0               python  CVE-2016-1905   High      
kubernetes  24.2.0               python  CVE-2016-1906   Critical
kubernetes  24.2.0               python  CVE-2016-7075   High

Anything else we need to know?:
Very similar to anchore/grype#800

Environment:

  • Output of grype version: 0.47.0
  • OS (e.g: cat /etc/os-release or similar):
System Version: macOS 11.6 (20G165)
Kernel Version: Darwin 20.6.0
Model Name: MacBook Pro
Model Identifier: MacBookPro16,1
Processor Name: 6-Core Intel Core i7
@cpendery cpendery added the bug Something isn't working label Aug 24, 2022
@jgwright-eitccorp
Copy link

Examples of this include flagging:

With a representative CPE list in scan results of:

    "cpes": [
     "cpe:2.3:a:kubernetes_project:python-kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetes_project:python_kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetesproject:python-kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetesproject:python_kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python-kubernetes:python-kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python-kubernetes:python_kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python_kubernetes:python-kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python_kubernetes:python_kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetes_project:kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetes:python-kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetes:python_kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetesproject:kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python-kubernetes:kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python_kubernetes:kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python:python-kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python:python_kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:kubernetes:kubernetes:20.13.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:python:kubernetes:20.13.0:*:*:*:*:*:*:*"
    ],

@kzantow kzantow transferred this issue from anchore/grype Aug 7, 2023
@tgerla
Copy link
Contributor

tgerla commented Aug 10, 2023

Thanks for the additional details, @jgwright-eitccorp. I think we understand what is going on here: our CPE generation is broad, as it needs to be, but this does generate false positives. We are working on some alternative solutions that should greatly improve this situation. Please stay tuned!

@kzantow kzantow changed the title False Flagging #2 PyPI Kubernetes library generating invalid CPE kubernetes:kubernetes Aug 10, 2023
@kzantow kzantow linked a pull request Aug 10, 2023 that will close this issue
Fix CPE generation for k8s python client #1921
Merged
@kzantow
Copy link
Contributor

kzantow commented Aug 10, 2023

It looks like this was fixed by: #1921 🎉

@kzantow kzantow closed this as completed Aug 10, 2023
@github-project-automation github-project-automation bot moved this to Done in OSS Aug 10, 2023
@kzantow kzantow added the changelog-ignore Don't include this issue in the release changelog label Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix CPE generation for k8s python client luhring/syft
4 participants
@tgerla @kzantow @cpendery @jgwright-eitccorp