You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
Since upgrading syft from 0.86.1 to something more recent I get some more OpenSSL results in my spdx-json SBOM files. As a result, our scanner (grype) now finds more vulnerabilities (specifically around OpenSSL).
What you expected to happen:
This specific image is indeed using OpenSSL 1.1.1, yet grype now finds itself worrying about just 1.1.1 while in reality this is 1.1.1w (which isn't even vulnerable at all).
% docker run --rm -it --entrypoint /bin/sh openresty/openresty:1.25.3.1-2-alpine
/ # ./usr/local/openresty/openssl/bin/openssl version
OpenSSL 1.1.1w 11 Sep 2023
I'd expect the SBOM to properly reflect the 1.1.1w on which grype can supposedly report accordingly.
Steps to reproduce the issue:
Using docker and the following quick script:
#!/usr/bin/env sh
set -e
SYFT_TAG=v0.103.1 # Jan 31, 2024
GRYPE_TAG=v0.74.5 # Feb 14, 2024
SBOM=$(basename ${PWD})_sbom.spdx.json
mkdir -p ~/.grype/cache
if [ -z $1 ]
then
TARGET="dir:/work/"
echo "Using default target - alternative argument: docker:<container>"
else
TARGET="${1}"
echo "Using target: ${TARGET}"
fi
echo "Extracting SBOM using Syft ${SYFT_TAG}"
docker run \
--rm \
-it \
-v /var/run/docker.sock:/var/run/docker.sock \
-v ${PWD}:/work \
anchore/syft:${SYFT_TAG} \
packages \
${TARGET} \
-o spdx-json \
--file /work/${SBOM}
docker run \
--rm \
-it \
-v ${PWD}:/work \
-v ~/.grype/cache:/.cache/grype \
anchore/grype:${GRYPE_TAG} \
sbom:/work/${SBOM} \
-o sarif \
--file /work/scan.sarif \
--config /work/grype.config.yaml
Using SYFT_TAG=v0.103.1:
✔ Vulnerability DB [no update available]
✔ Scanned for vulnerabilities [54 vulnerability matches]
├── by severity: 3 critical, 13 high, 36 medium, 2 low, 0 negligible
└── by status: 4 fixed, 50 not-fixed, 0 ignored
Using SYFT_TAG=v0.99.0:
✔ Vulnerability DB [no update available]
✔ Scanned for vulnerabilities [22 vulnerability matches]
├── by severity: 0 critical, 4 high, 18 medium, 0 low, 0 negligible
└── by status: 4 fixed, 18 not-fixed, 0 ignored
Anything else we need to know?:
My current guess is this is due to the openssl matchers ignoring the letter suffix, as found in for example 1.1.1w.
What happened:
Since upgrading
syft
from0.86.1
to something more recent I get some more OpenSSL results in myspdx-json
SBOM files. As a result, our scanner (grype
) now finds more vulnerabilities (specifically aroundOpenSSL
).This makes sense as the SBOM now contains this:
This started specifically as of
0.100.0
(https://github.com/anchore/syft/releases/tag/v0.100.0), presumably due to inclusion of #2416What you expected to happen:
This specific image is indeed using OpenSSL 1.1.1, yet
grype
now finds itself worrying about just1.1.1
while in reality this is1.1.1w
(which isn't even vulnerable at all).I'd expect the SBOM to properly reflect the
1.1.1w
on whichgrype
can supposedly report accordingly.Steps to reproduce the issue:
Using docker and the following quick script:
Using
SYFT_TAG=v0.103.1
:Using
SYFT_TAG=v0.99.0
:Anything else we need to know?:
My current guess is this is due to the openssl matchers ignoring the letter suffix, as found in for example
1.1.1w
.From https://wiki.openssl.org/index.php/Versioning:
Environment:
syft version
:v0.103.1
cat /etc/os-release
or similar): fwiwAlpine 3.19.1
The text was updated successfully, but these errors were encountered: