GHSA-93ww-43rr-79v3 / CVE-2024-10039 does not get patched version #2408
Labels
Comments
|
👋 Thanks for the issue @willem-delbare At first pass it looks like a bug in the DB where we have the entry twice both with fixed and not fixed state: select id, package_name, version_constraint, fix_state, namespace from vulnerability WHERE id="GHSA-93ww-43rr-79v3"
I've added needs investigation to this so that when someone has time we can look at why we're getting the double record with conflicting information. |
|
They are from separate sources, it isn't a mistake in grype-db, it is a fix needed to the GitHub advisory, the 26.0.6 patch is only on the >=25.0.0,<26.0.6 range on the GitHub record. Presumably from the range definition the fix for |
|
Yeah, 24.0.9 contained the "fix" (it was just a docs update) in keycloak/keycloak@3da16ee |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Running Grype on minimal json sample with keycloak 23.0.3 yields GHSA-93ww-43rr-79v3, but no CVE number is reported. No patch version is reported either.
What you expected to happen:
GHSA-93ww-43rr-79v3 also has CVE-2024-10039 and shows patch version 26.0.6 (reported in GHSA-93ww-43rr-79v3)
How to reproduce it (as minimally and precisely as possible):
.\grype.exe .\minimal.json --by-cve
minimal.json
{"artifacts":[{"id":"93921a74e42b2d5b","cpes":[{"cpe":"cpe:2.3:a:keycloak:keycloak-core:23.0.3:*:*:*:*:*:*:*","source":"syft-generated"},{"cpe":"cpe:2.3:a:keycloak:keycloak_core:23.0.3:*:*:*:*:*:*:*","source":"syft-generated"}],"name":"keycloak-core","purl":"pkg:maven\/org.keycloak\/[email protected]","type":"java-archive","foundBy":"java-archive-cataloger","version":"23.0.3","language":"java","licenses":[{"type":"declared","urls":[],"value":"https:\/\/www.apache.org\/licenses\/LICENSE-2.0","locations":[],"spdxExpression":""}],"metadata":{"digest":[{"value":"db33d9bf7a26aeb18bce6fe3d8d775beaf6b0554","algorithm":"sha1"}],"manifest":{"main":[]},"virtualPath":"\/opt\/keycloak\/lib\/lib\/main\/org.keycloak.keycloak-core-23.0.3.jar","pomProperties":{"name":"","path":"META-INF\/maven\/org.keycloak\/keycloak-core\/pom.properties","groupId":"org.keycloak","version":"23.0.3","artifactId":"keycloak-core"}},"locations":[{"path":"\/opt\/keycloak\/lib\/lib\/main\/org.keycloak.keycloak-core-23.0.3.jar","layerID":"sha256:def876082e39f0a7b72296c739eab5921802f870dcbe12f845886eebec9a405c","accessPath":"\/opt\/keycloak\/lib\/lib\/main\/org.keycloak.keycloak-core-23.0.3.jar","annotations":{"evidence":"primary"}}],"metadataType":"java-archive"}],"artifactRelationships":[],"files":[],"source":{"id":"cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8","name":".","version":"","type":"directory","metadata":{"path":"."}},"distro":{},"descriptor":{"name":"syft","version":"1.19.0","configuration":{"catalogers":{"requested":{"default":["directory"]},"used":[]},"data-generation":{"generate-cpes":true},"files":{"content":{"globs":null,"skip-files-above-size":0},"hashers":["sha-1","sha-256"],"selection":"owned-by-package"},"packages":{},"relationships":{"exclude-binary-packages-with-file-ownership-overlap":true,"package-file-ownership":true,"package-file-ownership-overlap":true},"search":{"scope":"squashed"}}},"schema":{"version":"16.0.20","url":"https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.0.20.json"}}The text was updated successfully, but these errors were encountered: