Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive of CVE-2022-32511 on apk package py3-jmespath #2348

Open
samcornwell opened this issue Dec 20, 2024 · 1 comment
Open

False positive of CVE-2022-32511 on apk package py3-jmespath #2348

samcornwell opened this issue Dec 20, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@samcornwell
Copy link

samcornwell commented Dec 20, 2024
edited
Loading

I have a container using py3-jmespath as an apk package in alpine. I'm getting this in my grype output:

user@machine:~$ grype <image> | grep -E "(Critical|High|Medium)\s*$"
 ✔ Loaded image                                                                                      <image>
 ✔ Parsed image                                                                                        sha256:5969162d15686a0d460a4ba701a91b7c3c3466aa95fdf4cf9958c190beea77d7
 ✔ Cataloged contents                                                                                         dbd2e1c6c93d09473e73ccc4f421d534783e4bb203f6fa9996560d2bf9c56ffd
   ├── ✔ Packages                        [113 packages]  
   ├── ✔ File digests                    [5,186 files]  
   ├── ✔ File metadata                   [5,186 locations]  
   └── ✔ Executables                     [201 executables]  
 ✔ Scanned for vulnerabilities     [5 vulnerability matches]  
   ├── by severity: 1 critical, 0 high, 4 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 5 not-fixed, 0 ignored 
coreutils            9.5-r1               apk   CVE-2016-2781   Medium    
coreutils-env        9.5-r1               apk   CVE-2016-2781   Medium    
coreutils-fmt        9.5-r1               apk   CVE-2016-2781   Medium    
coreutils-sha512sum  9.5-r1               apk   CVE-2016-2781   Medium    
py3-jmespath         1.0.1-r3             apk   CVE-2022-32511  Critical

However, that CVE only applies to the ruby version of jmespath.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32511

I find no CVEs in the databases associated with jmespathd of python.

Here's an additional snippet of the grype json output which shows the urls and other parts referencing the ruby package:

  {
   "vulnerability": {
    "id": "CVE-2022-32511",
    "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-32511",
    "namespace": "nvd:cpe",
    "severity": "Critical",
    "urls": [
     "https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1",
     "https://github.com/jmespath/jmespath.rb/pull/55",
     "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/",
     "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/",
     "https://stackoverflow.com/a/30050571/580231",
     "https://github.com/jmespath/jmespath.rb/compare/v1.6.0...v1.6.1",
     "https://github.com/jmespath/jmespath.rb/pull/55",
     "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/376NUPIPTYBWWGS33GO4UOLQRI4D3BTP/",
     "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGZ2YWONVFFOPACHAT4MM7ZBT4DNHOF5/",
     "https://stackoverflow.com/a/30050571/580231"
    ],
    "description": "jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.",
    "cvss": [
     {
      "source": "[email protected]",
      "type": "Primary",
      "version": "2.0",
      "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "metrics": {
       "baseScore": 7.5,
       "exploitabilityScore": 10,
       "impactScore": 6.4
      },
      "vendorMetadata": {}
     },
     {
      "source": "[email protected]",
      "type": "Primary",
      "version": "3.1",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "metrics": {
       "baseScore": 9.8,
       "exploitabilityScore": 3.9,
       "impactScore": 5.9
      },
      "vendorMetadata": {}
     }
    ],
    "fix": {
     "versions": [],
     "state": "unknown"
    },
    "advisories": []
   },
   "relatedVulnerabilities": [],
   "matchDetails": [
    {
     "type": "cpe-match",
     "matcher": "apk-matcher",
     "searchedBy": {
      "namespace": "nvd:cpe",
      "cpes": [
       "cpe:2.3:a:jmespath_project:jmespath:1.0.1:*:*:*:*:*:*:*"
      ],
      "package": {
       "name": "py3-jmespath",
       "version": "1.0.1-r3"
      }
     },
     "found": {
      "vulnerabilityID": "CVE-2022-32511",
      "versionConstraint": "< 1.6.1 (unknown)",
      "cpes": [
       "cpe:2.3:a:jmespath_project:jmespath:*:*:*:*:*:ruby:*:*"
      ]
     }
    }

And python appears to be what the apk package py3-jmespath is using:
image
@samcornwell samcornwell added the bug Something isn't working label Dec 20, 2024
@samcornwell samcornwell mentioned this issue Dec 20, 2024
Open
@spiffcs
Copy link
Contributor

spiffcs commented Dec 23, 2024

Thanks @samcornwell for the report here. This kind of FP will be easier to fix when we move to the grype v6 database.

Let me take a stab at installing this package on my local and trying to make syft's cpe generation not be so aggressive so it matches on these in this case.

cpe:2.3:a:jmespath_project:jmespath:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:jmespath_project:jmespath:*:*:*:*:*:ruby:*:*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samcornwell @spiffcs