-
Notifications
You must be signed in to change notification settings - Fork 596
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False negative: vulns in AL2023 rpm packages were reported but then disappeared #2333
Comments
Trying to reproduce this on my local machine, which has no had a grype db update since last week. What version of DB do I have?
Check with the currently installed DB.
Update the database.
Try the test again.
Confirmed they're gone. |
Interesting, seems like it is indeed a regression in the Vuln DB then 🤔 |
Indeed. Grype gets the data via vunnel, pulled from the upstream provider, where these vulnerabilities disappear. We've contacted the security team there to find out what's happening. Stand by :) |
No word from maintainers of the data yet, but https://alas.aws.amazon.com/alas2023.html shows that Today's grype db now has those: $ grype -q amazonlinux:2023.6.20241121.0 | rg -e NAME -e ALAS-2024-783 -e ALAS-2024-770 -e ALAS-2024-781
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libxml2 2.10.4-1.amzn2023.0.6 2.10.4-1.amzn2023.0.7 rpm ALAS-2024-783 Medium
python3-pip-wheel 21.3.1-2.amzn2023.0.9 21.3.1-2.amzn2023.0.10 rpm ALAS-2024-781 Medium Grype now finds |
What happened:
One day our nightly audit run flagged 4 x
rpm
vulns in an Amazon Linux 2023 based image (13 Dec 2024, ~21:00)but then the next day on the same code, those reported vulns were no longer reported (14 Dec 2024, ~21:00)
However the vulnerable package versions e.g.
libxml2
version2.10.4-1.amzn2023.0.6
are still present in the image.(The Django vulns are irrelevant to this bug report)
I have checked with latest grype
v0.86.4
and the rpm vulns are still not reported, so it seems like the Vuln DB is the only thing that changed between these 2 runs above.What you expected to happen:
The vulnerabilities should still be reported by grype, until we patch them.
How to reproduce it (as minimally and precisely as possible):
I believe the following command repros it, though I can't go back in time to check if it would have shown the
libxml2
and other vulns on 13th December, but this does not report any vulns, whereas I think it should:For comparison, Docker Scout does find the vulns which grype previously reported (but no longer does)
Anything else we need to know?:
Environment:
grype version
: see above, it occurred on v0.74.6 but still repros on:cat /etc/os-release
or similar): Windows 11 but running grype in Docker Desktop linux container using official grype imageThe text was updated successfully, but these errors were encountered: