possible false positives: unicorn package, qnx SDK package

[jurassicLizard]

What happened:

Some false positives detected

What you expected to happen:

• High confidence false positive:
  • uvicorn version 0.17.6 shows CVE-2020-7694 as vulnerability with an empty fixed versions array. This is technically speaking not a logical bug since NVD doesnot seem to have updated its entry for the CVE to contain the fixed version; instead only mentioning the snyk.io advisory. However snyk.io advisory shows that this has been fixed and only affects versions up to 0.11.7. So this is definitely a false positive
• Low confidence false positive:
  • expected qnx_software_development_platform version 7.1 cpe to not show CVE-2013-xxxx or at least show fixed versions but it doesnot. I do not consider this to be a bug if not detected IMO because the NIST entries are confusing in this regard to say the least and are very unclear so this is to be treated with low priority albeit nice to have if it were detecte. I am aware grype doesnot look at all possible advisories out there but just doing my part to improve this software as I am a fan and use it extensively

How to reproduce it (as minimally and precisely as possible):

1. download attached out.json cyclonedx sbom
2. run grype with grype sbom:out.json in the directory where out.json is downloaded
3. receive results similar to attached results.txt
   with uvicorn false positive and the

Anything else we need to know?:
N/A
Environment:

• Output of grype version:

Application:         grype
Version:             0.86.1
BuildDate:           2024-12-13T19:32:52Z
GitCommit:           5c4fee7b1170976ab435de052fc3611bc955f1f1
GitDescription:      v0.86.1
Platform:            linux/amd64
GoVersion:           go1.23.4
Compiler:            gc
Syft Version:        v1.18.1
Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar):

NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"
VERSION_ID="2.17"

[jurassicLizard]

if there is anything I can do to assist with this I will be happy to help As I consider this software to be a real asset. Thanks to the team for this tool.

[popey]

Thanks for the FP issue @jurassicLizard - much appreciated.

I've confirmed it here too:

$ grype db update
 ✔ Vulnerability DB                [updated]
Vulnerability database updated to latest version!
$ grype out.json
 ✔ Scanned for vulnerabilities     [5 vulnerability matches]
   ├── by severity: 1 critical, 2 high, 1 medium, 1 low, 0 negligible
   └── by status:   0 fixed, 5 not-fixed, 0 ignored
NAME                               INSTALLED  FIXED-IN  TYPE            VULNERABILITY   SEVERITY
qnx_software_development_platform  7.1                  UnknownPackage  CVE-2021-32024  Critical
qnx_software_development_platform  7.1                  UnknownPackage  CVE-2023-32701  High
qnx_software_development_platform  7.1                  UnknownPackage  CVE-2013-2687   High
qnx_software_development_platform  7.1                  UnknownPackage  CVE-2013-2688   Medium
uvicorn                            0.17.6               UnknownPackage  CVE-2020-7694   Low
$ grype out.json -o json | grype explain --id CVE-2020-7694
[0000]  WARN grype explain is a prototype feature and is subject to change
 ✔ Scanned for vulnerabilities     [5 vulnerability matches]
   ├── by severity: 1 critical, 2 high, 1 medium, 1 low, 0 negligible
   └── by status:   0 fixed, 5 not-fixed, 0 ignored
CVE-2020-7694 from nvd:cpe (Low)
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).
Matched packages:
    - Package: uvicorn, version: 0.17.6
      Match explanation(s):
          - nvd:cpe:CVE-2020-7694 CPE match on `cpe:2.3:a:encode:uvicorn:0.17.6:*:*:*:*:*:*:*`.
      Locations:
URLs:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-7694

We'll take a look.

[joshbressers]

Hi @jurassicLizard

Thanks for the report. There are couple of things going on here, I want to break them all apart into different parts.

Missing PURL

Let's start with the scan results @popey noted above. If you look at the "TYPE" column, they are all UnknownPackage. This is due to the SBOM leaving out some details Grype can use to help improve the scan. When Grype looks for vulnerabilities, the best possible results are when we know what type of given package is. In the case of uvicorn, we want the TYPE to show up as python. To make this work we want to see a purl field in the SBOM. The line should look like

        {
            "cpe": "cpe:2.3:a:encode:uvicorn:0.17.6:*:*:*:*:*:*:*",
            "name": "uvicorn",
            "publisher": "encode",
            "type": "application",
            "version": "0.17.6",
            "purl": "pkg:pypi/[email protected]"
        }

That data will return the correct results. Supplying purl data in the CycloneDX SBOM will greatly improve the results as we will use the version details provided by GitHub's vulnerability data to match python packages, which is superior to the NVD data.

Incorrect CPE

The other part of this report is the CPE data for the findings (all the findings). You provide CPE information in the SBOM. When Grype has no other data, it will rely on CPE data in NVD to matching. CPE data in NVD has a lot of problems (as we can see in the results).

If we look at the uvicorn CVE, we see

cpe:2.3:a:encode:uvicorn:-:*:*:*:*:*:*:*

Which is why we are seeing the false positive. This is also why you're seeing the qnx_software_development_platform results. The CPE data in NVD needs to be fixed.

Now, all that said

We have the ability to update this data, Anchore maintains curated data in this repo https://github.com/anchore/cve-data-enrichment

None of the CVEs in question are logged there today which means Grype is using the data directly from NVD. How to submit a PR to that repo is not well documented. I am going to work with @popey over the next few days to start writing this down. Part of that process will be updating the CVE IDs from your demo SBOM. I'll reply here when we submit the PR.

[jurassicLizard]

@popey @joshbressers Thank you all for the very detailed explanations. And the extremely fast response. Very good tip with the purl, unfortunately i have little influence over the SBOMs i work with as i would need an intermediate converter to add purl and figure out the namespace and such things for 1000s of packages. But will do my best to improve my BOMs for better results. Will make sure to log any further false positives the way you have shown in the CVE enrichment repo. looking forward to the PR. Thank you all. I appreciate your time and effort.

[jurassicLizard]

I see one of the CVEs has already been added : anchore/cve-data-enrichment@9d32bcb

Kudos and eagerly awaiting the documentation of the individual properties of these jsons so I can start contributing and improving the data whenever such cases arise.