Grype does not detect vulnerable Micronaut CVE-2024-23639 #1730
Comments
|
Hi @Atharex thanks for the report! I've reproduced the issue and will move it to our backlog. Details below. I think there are two things going on here: syft -q schnatterer/micronaut-getting-started:latest | grep micro
micronaut-getting-started 0.1 java-archiveSo Syft doesn't find an instance of a vulnerable jar in the image. Do you know for sure the image has a vulnerable jar in it? However, to check whether Grype is working as expected here, I downloaded the jar directly wget https://repo1.maven.org/maven2/io/micronaut/micronaut-http-server/3.8.2/micronaut-http-server-3.8.2.jar
syft -q -o json micronaut-http-server-3.8.2.jar| jq '.artifacts[] | { name: .name, purl: .purl }'Which prints: {
"name": "micronaut-http-server",
"purl": "pkg:maven/io.micronaut.http_server/micronaut-http-server@3.8.2"
}I think the issue here is that we think the group id is If I write out an SBOM, and edit it so that the PURL on this package has the correct group ID ( Dev notes: Syft reporting wrong group ID for JARs like this one: https://mvnrepository.com/artifact/io.micronaut/micronaut-http-server/3.8.2 |
What happened:
Grype/Syft do not detect CVE-2024-23639 a vulnerability of the Micronaut framework for Java/Kotlin
What you expected to happen:
The Micronaut component to be listed by Syft and recognized as vulnerable by Grype for CVE-2024-23639
How to reproduce it (as minimally and precisely as possible):
You could probably test it on any old publicly accessible image with micronaut
Example:
grype schnatterer/micronaut-getting-started:latestAnything else we need to know?:
Environment:
Output of
grype version:Application: grype
Version: 0.74.6
BuildDate: 2024-02-14T22:19:32Z
GitCommit: b9cf0e5
GitDescription: v0.74.6
Platform: darwin/arm64
GoVersion: go1.21.7
Compiler: gc
Syft Version: v0.105.0
Supported DB Schema: 5
OS (e.g:
cat /etc/os-releaseor similar):MacOS
The text was updated successfully, but these errors were encountered: