Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positives when installing both libcrypto, libssl 1.1 and 3 on alpine 3.19 #1843

Open
remiville opened this issue May 3, 2024 · 3 comments
Open

False positives when installing both libcrypto, libssl 1.1 and 3 on alpine 3.19 #1843

remiville opened this issue May 3, 2024 · 3 comments
Assignees
@willmurphyscode
Labels
bug Something isn't working

Comments

@remiville
Copy link

remiville commented May 3, 2024
edited

What happened:

On alpine I need:

  • libcrypto3, libssl3 (3.1.4-r6)
  • tomcat 9.0.87 with tomcat-native 1.2.33-r0 (taken from 3.16 repo) because tomcat-native 2.x is only supported since tomcat 10.1.
    tomcat-native 1.x relies on libcrypto1.1, libssl1.1

When I was on alpine 3.18 there were no issue (I suppose because alpine 3.18 already has libcrypto1.1, libssl1.1).

When I upgrade to 3.19 I have to explicitly install libcrypto1.1, libssl1.1 (1.1.1w-r1) from alpine 3.16 repo (even if I'm on alpine 3.19) because alpine 3.19 repo do not include these libraries (unlike alpine 3.18)
Doing this I have many many false positive (see below).
I think this is a consequence of installing both libcrypto3, libssl3 and libcrypto1.1, libssl1.1 despite these high CVE are part of version intervals not concerned by the versions I install.
Most of the time these CVE concern versions up to 1.1.1t (despite I install libcrypto1.1 1.1.1w-r1) or between [3.0, 3.0.12] or [3.1, 3.1.4] (despite I install libcrypto3 3.1.4-r6)

Vulnerabilities
NAME          INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY 
libcrypto1.1  1.1.1w-r1  3.1.0-r1  apk           CVE-2023-0464        High      
libcrypto1.1  1.1.1w-r1  3.0.2-r0  apk           CVE-2022-0778        High      
libcrypto1.1  1.1.1w-r1  3.0.7-r0  apk           CVE-2022-3786        High      
libcrypto1.1  1.1.1w-r1  3.1.4-r0  apk           CVE-2023-5363        High      
libcrypto1.1  1.1.1w-r1  3.1.4-r1  apk           CVE-2023-5678        Medium    
libcrypto1.1  1.1.1w-r1  3.1.4-r6  apk           CVE-2024-2511        Unknown   
libcrypto1.1  1.1.1w-r1  3.0.3-r0  apk           CVE-2022-1434        Medium    
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2022-4203        Medium    
libcrypto1.1  1.1.1w-r1  3.0.1-r0  apk           CVE-2021-4044        High      
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0217        High      
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2022-4450        High      
libcrypto1.1  1.1.1w-r1  3.1.1-r3  apk           CVE-2023-3446        Medium    
libcrypto1.1  1.1.1w-r1  3.1.4-r5  apk           CVE-2024-0727        Medium    
libcrypto1.1  1.1.1w-r1  3.0.7-r2  apk           CVE-2022-3996        High      
libcrypto1.1  1.1.1w-r1  3.1.1-r0  apk           CVE-2023-2650        Medium    
libcrypto1.1  1.1.1w-r1  3.1.2-r0  apk           CVE-2023-3817        Medium    
libcrypto1.1  1.1.1w-r1  3.1.4-r3  apk           CVE-2023-6129        Medium    
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0286        High      
libcrypto1.1  1.1.1w-r1  3.0.5-r0  apk           CVE-2022-2097        Medium    
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0401        High      
libcrypto1.1  1.1.1w-r1  3.1.1-r2  apk           CVE-2023-2975        Medium    
libcrypto1.1  1.1.1w-r1  3.1.4-r4  apk           CVE-2023-6237        Unknown   
libcrypto1.1  1.1.1w-r1  3.0.6-r0  apk           CVE-2022-3358        High      
libcrypto1.1  1.1.1w-r1  3.0.7-r0  apk           CVE-2022-3602        High      
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0215        High      
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0216        High      
libcrypto1.1  1.1.1w-r1  3.1.0-r2  apk           CVE-2023-0465        Medium    
libcrypto1.1  1.1.1w-r1  3.0.3-r0  apk           CVE-2022-1473        High      
libcrypto1.1  1.1.1w-r1  3.0.8-r0  apk           CVE-2022-4304        Medium    
libcrypto1.1  1.1.1w-r1  3.1.0-r4  apk           CVE-2023-1255        Medium    
libcrypto1.1  1.1.1w-r1  3.0.3-r0  apk           CVE-2022-1343        Medium    
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2022-4203        Medium    
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0401        High      
libssl1.1     1.1.1w-r1  3.1.0-r4  apk           CVE-2023-1255        Medium    
libssl1.1     1.1.1w-r1  3.1.4-r3  apk           CVE-2023-6129        Medium    
libssl1.1     1.1.1w-r1  3.1.4-r6  apk           CVE-2024-2511        Unknown   
libssl1.1     1.1.1w-r1  3.0.3-r0  apk           CVE-2022-1343        Medium    
libssl1.1     1.1.1w-r1  3.1.0-r1  apk           CVE-2023-0464        High      
libssl1.1     1.1.1w-r1  3.0.5-r0  apk           CVE-2022-2097        Medium    
libssl1.1     1.1.1w-r1  3.1.4-r4  apk           CVE-2023-6237        Unknown   
libssl1.1     1.1.1w-r1  3.0.3-r0  apk           CVE-2022-1473        High      
libssl1.1     1.1.1w-r1  3.0.6-r0  apk           CVE-2022-3358        High      
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2022-4304        Medium    
libssl1.1     1.1.1w-r1  3.1.1-r2  apk           CVE-2023-2975        Medium    
libssl1.1     1.1.1w-r1  3.1.0-r2  apk           CVE-2023-0465        Medium    
libssl1.1     1.1.1w-r1  3.1.1-r3  apk           CVE-2023-3446        Medium    
libssl1.1     1.1.1w-r1  3.1.4-r1  apk           CVE-2023-5678        Medium    
libssl1.1     1.1.1w-r1  3.0.3-r0  apk           CVE-2022-1434        Medium    
libssl1.1     1.1.1w-r1  3.0.7-r2  apk           CVE-2022-3996        High      
libssl1.1     1.1.1w-r1  3.0.1-r0  apk           CVE-2021-4044        High      
libssl1.1     1.1.1w-r1  3.0.2-r0  apk           CVE-2022-0778        High      
libssl1.1     1.1.1w-r1  3.1.4-r0  apk           CVE-2023-5363        High      
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0216        High      
libssl1.1     1.1.1w-r1  3.1.2-r0  apk           CVE-2023-3817        Medium    
libssl1.1     1.1.1w-r1  3.1.4-r5  apk           CVE-2024-0727        Medium    
libssl1.1     1.1.1w-r1  3.1.1-r0  apk           CVE-2023-2650        Medium    
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2022-4450        High      
libssl1.1     1.1.1w-r1  3.0.7-r0  apk           CVE-2022-3602        High      
libssl1.1     1.1.1w-r1  3.0.7-r0  apk           CVE-2022-3786        High      
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0215        High      
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0217        High      
libssl1.1     1.1.1w-r1  3.0.8-r0  apk           CVE-2023-0286        High

What you expected to happen:

Grype should not report these false positive and discern the usage libcrypto1.1 than libcrypto3.

How to reproduce it (as minimally and precisely as possible):

FROM alpine:3.19

RUN echo "@3.16.main https://dl-cdn.alpinelinux.org/alpine/v3.16/main"  >> /etc/apk/repositories && \
  apk add libcrypto3>=3.1.4-r6 \
  libssl3>=3.1.4-r6 \
  libcrypto1.1@3.16.main>=1.1.1w-r1 \
  libssl1.1@3.16.main>=1.1.1w-r1 && \
  apk upgrade \
    libcrypto3 \
    libssl3

Anything else we need to know?:

Environment:

  • Output of grype version: v0.74.2
  • OS (e.g: cat /etc/os-release or similar):
@remiville remiville added the bug Something isn't working label May 3, 2024
@willmurphyscode
Copy link
Contributor

Hi @remiville,

Thanks for the report! The reason Grype is matching is that for OS packages (in this case APK packages) that have a source/upstream package, vulnerabilities against the source/upstream package are reported. In this case, the source upstream package is openssl.

For example, for CVE-2023-0464, we have the following entry in the match database:

id             package_name  version_constraint
-------------  ------------  ------------------
CVE-2023-0464  openssl       < 3.1.0-r1

Because libcrypto1.1. and libssl1.1 have openssl as their upstream at a version less than 3.1.0-r1, these packages are marked as vulnerable to CVE-2023-0464.

Can you help me understand why you believe these are false positives? Is it because libssl1.1 and libcrypto1.1 should be considered different packages than libssl and libcrypto, and not just older versions?

@remiville
Copy link
Author

Hi @willmurphyscode,

Thanks for your support, for example if we focus on CVE-2023-0464 (same story for other CVE listed previously):

I didn't have this issue when installing only libssl1.1 and libcrypto1.1 or only libssl3 and libcrypto3 packages, I've got the issue when installing both.

@willmurphyscode
Copy link
Contributor

Thanks for the response @remiville!

Would you mind posting a Dockerfile that doesn't have the false positive? Was it on a different version of Alpine?

I think what's going on is that we don't have the lower bound of the version constraint in the database correctly:

select id, package_name, version_constraint, namespace 
from vulnerability 
where namespace like '%alpine%' and id = 'CVE-2023-0464';
id             package_name       version_constraint  namespace
-------------  -----------------  ------------------  -------------------------
CVE-2023-0464  openssl            < 1.1.1t-r1         alpine:distro:alpine:3.14
CVE-2023-0464  openssl            < 1.1.1t-r2         alpine:distro:alpine:3.15
CVE-2023-0464  openssl3           < 3.0.8-r1          alpine:distro:alpine:3.15
CVE-2023-0464  openssl            < 1.1.1t-r1         alpine:distro:alpine:3.16
CVE-2023-0464  openssl3           < 3.0.8-r1          alpine:distro:alpine:3.16
CVE-2023-0464  openssl            < 3.0.8-r1          alpine:distro:alpine:3.17
CVE-2023-0464  openssl1.1-compat  < 1.1.1t-r1         alpine:distro:alpine:3.17
CVE-2023-0464  openssl            < 3.1.0-r1          alpine:distro:alpine:3.18
CVE-2023-0464  openssl1.1-compat  < 1.1.1t-r1         alpine:distro:alpine:3.18
CVE-2023-0464  openssl            < 3.1.0-r1          alpine:distro:alpine:3.19
CVE-2023-0464  openssl            < 3.1.0-r1          alpine:distro:alpine:edge

In this case, we're scanning an image built from Alpine 3.19, and we have a package called "openssl" whose version is 1.1.1w-r1, so the row CVE-2023-0464 openssl < 3.1.0-r1 alpine:distro:alpine:3.19 matches. From reading https://security.alpinelinux.org/vuln/CVE-2023-0464, it seems like the version constraint should be >= 3.1.0 < 3.1.1, which would not have a match. This might be an issue in the Vunnel provider for Alpine.

It's also worth noting that these are for different versions of Alpine - that is, you're installing packages from Alpine 3.16 onto Alpine 3.19; since it's an Alpine 3.19 image, Grype is doing to use the alpine:3.19 namespace to search for vulnerabilities. We have an open issue, #86, to make Grype pick a distro namespace on a per-package basis, but it's not always possible to tell from a package manager what namespace to use.

I think this issue will just be fixed by emitting better version constraints when we build the database, so I'll start digging there.

@willmurphyscode willmurphyscode self-assigned this May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willmurphyscode @remiville