vex documents from the --vex flag do get processed or applied to the output correctly #1836

willejs · 2024-04-30T08:27:50Z

What happened:

When following the example here using the vex document specified, the vulnerability is rendered in the outputted report. This happens in any format.

vex.json

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-d4e9020b6d0d26f131d535e055902dd6ccf3e2088bce3079a8cd3588a4b14c78",
  "author": "A Grype User <jdoe@example.com>",
  "timestamp": "2023-07-17T18:28:47.696004345-06:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-1255"
      },
      "products": [
        {
          "@id": "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
          "subcomponents": [
            { "@id": "pkg:apk/alpine/libssl3@3.0.8-r3" },
            { "@id": "pkg:apk/alpine/libcrypto3@3.0.8-r3" }
          ]
        }
      ],
      "status": "fixed"
    }
  ]
}

command

docker run -it -v $PWD/vex.json:/vex.json  anchore/grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --vex /vex.json
 ✔ Vulnerability DB                [updated]  
 ✔ Parsed image                                         sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                          b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
   ├── ✔ Packages                        [15 packages]  
   ├── ✔ File digests                    [78 files]  
   ├── ✔ File metadata                   [78 locations]  
   └── ✔ Executables                     [17 executables]  
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]  
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 0 ignored 
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY 
...
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium  
...

vexctl filter works

What you expected to happen:

I do not expect the vulnerability to be reported.
Maybe I am missing something here?

How to reproduce it (as minimally and precisely as possible):
see above
Anything else we need to know?:

Environment:

Output of grype version: 0.77.1
OS (e.g: cat /etc/os-release or similar): mac/linux - tested both

The text was updated successfully, but these errors were encountered:

tgerla · 2024-05-02T20:45:41Z

Hi @willejs, thank you for the report, we've reproduced this issue on the latest Grype, 0.77.2:

Without vex (CVE-2023-1255 shows up):

tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126

 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                        sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                         b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File digests                    [78 files]
   ├── ✔ File metadata                   [78 locations]
   └── ✔ Executables                     [17 executables]
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 0 ignored
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libcrypto3  3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libcrypto3  3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libcrypto3  3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libcrypto3  3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libcrypto3  3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libcrypto3  3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libcrypto3  3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libcrypto3  3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libcrypto3  3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown
libssl3     3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libssl3     3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libssl3     3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libssl3     3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libssl3     3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libssl3     3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libssl3     3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libssl3     3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libssl3     3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libssl3     3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libssl3     3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown

With vex (CVE-2023-1255 shows up):

tgerla@Timothys-MacBook-Pro-2 grype-1836 % grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
--vex vex.json
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                        sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                         b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
   ├── ✔ Packages                        [15 packages]
   ├── ✔ File digests                    [78 files]
   ├── ✔ File metadata                   [78 locations]
   └── ✔ Executables                     [17 executables]
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 0 ignored
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libcrypto3  3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libcrypto3  3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libcrypto3  3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libcrypto3  3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libcrypto3  3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libcrypto3  3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libcrypto3  3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libcrypto3  3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libcrypto3  3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown
libssl3     3.0.8-r3   3.0.12-r0  apk   CVE-2023-5363  High
libssl3     3.0.8-r3   3.0.12-r4  apk   CVE-2024-0727  Medium
libssl3     3.0.8-r3   3.0.12-r2  apk   CVE-2023-6129  Medium
libssl3     3.0.8-r3   3.0.12-r1  apk   CVE-2023-5678  Medium
libssl3     3.0.8-r3   3.0.10-r0  apk   CVE-2023-3817  Medium
libssl3     3.0.8-r3   3.0.9-r3   apk   CVE-2023-3446  Medium
libssl3     3.0.8-r3   3.0.9-r2   apk   CVE-2023-2975  Medium
libssl3     3.0.8-r3   3.0.9-r0   apk   CVE-2023-2650  Medium
libssl3     3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium
libssl3     3.0.8-r3   3.0.12-r5  apk   CVE-2024-2511  Unknown
libssl3     3.0.8-r3   3.0.12-r3  apk   CVE-2023-6237  Unknown
tgerla@Timothys-MacBook-Pro-2 grype-1836 %

On Grype 0.74.7, the CVE was filtered out as expected. We will take a look and see where the regression occurred. Thanks again!

willejs added the bug Something isn't working label Apr 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vex documents from the --vex flag do get processed or applied to the output correctly #1836

vex documents from the --vex flag do get processed or applied to the output correctly #1836

willejs commented Apr 30, 2024

tgerla commented May 2, 2024

vex documents from the --vex flag do get processed or applied to the output correctly #1836

vex documents from the --vex flag do get processed or applied to the output correctly #1836

Comments

willejs commented Apr 30, 2024

tgerla commented May 2, 2024