False positive on vault ruby gem

[isuftin]

What happened:

Grype is hitting a false positive on the "vault" ruby gem which has the latest version of 0.6.0 ( https://rubygems.org/gems/vault/versions/0.6.0 ) - I am assuming it thinks that this is the Hashicorp Vault software installation.

NAME            INSTALLED               FIXED-IN                                                                              TYPE  VULNERABILITY        SEVERITY      
vault           0.17.0                  1.6.3                                                                                 gem   CVE-2021-27668       Medium      
vault           0.17.0                  1.8.4, 1.8.4, 1.7.5, 1.7.5                                                            gem   CVE-2021-41802       Medium      
vault           0.17.0                  1.3.2                                                                                 gem   CVE-2020-7220        High        
vault           0.17.0                  1.7.1, 1.7.1, 1.6.4, 1.6.4                                                            gem   CVE-2021-27400       High        
vault           0.17.0                  1.7.2, 1.6.5, 1.5.9, 1.6.5, 1.7.2, 1.5.9                                              gem   CVE-2021-32923       High        
vault           0.17.0                  1.8.0, 1.8.0                                                                          gem   CVE-2021-38554       Medium      
vault           0.17.0                  1.5.7, 1.5.7, 1.6.2, 1.6.2                                                            gem   CVE-2021-3024        Medium      
vault           0.17.0                  1.4.2, 1.3.6, 1.4.2, 1.3.6                                                            gem   CVE-2020-13223       High        
vault           0.17.0                  1.2.5, 1.2.5, 1.3.8, 1.3.8, 1.4.4, 1.4.4, 1.5.1, 1.5.1                                gem   CVE-2020-16250       Critical    
vault           0.17.0                  1.5.7, 1.5.7, 1.6.2, 1.6.2                                                            gem   CVE-2020-25594       Medium      
vault           0.17.0                  1.0.0                                                                                 gem   CVE-2018-19786       High        
vault           0.17.0                  1.2.5, 1.3.8, 1.4.4, 1.5.1, 1.2.5, 1.3.8, 1.4.4, 1.5.1                                gem   CVE-2020-16251       Critical 

What you expected to happen:

Grype should not be seeing a vault ruby gem and thinking it's

How to reproduce it (as minimally and precisely as possible):

An example of the Chef Development Kit Docker image we build and is failing the scan

FROM ubuntu:20.04

ENV CHANNEL=stable
ENV DEBIAN_FRONTEND=noninteractive
ENV PATH=/opt/chef-workstation/bin:/opt/chef-workstation/embedded/bin:/root/.chefdk/gem/ruby/2.7.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

WORKDIR /

COPY requirements.txt .

RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    python3.8=3.8* \
    python3-distutils=3.8* \
    wget=1.20.3* \
    curl=7.68.0* \
    openssl=1.1.1f* \
    zlib1g=1:1.2.11.dfsg-2ubuntu1.3 \
    git=1:2.25* && \
    \
    wget -q  https://bootstrap.pypa.io/get-pip.py -O  get-pip.py && \
    python3.8 get-pip.py && \
    rm get-pip.py && \
    python3 -m pip install --no-cache-dir -r requirements.txt && \
    wget -q --content-disposition "http://packages.chef.io/files/${CHANNEL}/chef-workstation/${MINOR_VERSION}/ubuntu/20.04/chef-workstation_22.7.1006-1_amd64.deb" -O /tmp/chef-workstation.deb && \
    dpkg -i /tmp/chef-workstation.deb && \
    rm /tmp/chef-workstation.deb && \
    \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /var/log/*log /var/log/apt/* /var/lib/dpkg/*-old /var/cache/debconf/*-old && \
    \
    useradd --system --create-home --shell /bin/bash --uid 1001 chef && \
    \
    chef -v

USER chef

Just for completeness sake, requirements.txt:

certifi==2022.6.15
charset-normalizer==2.1.0
idna==3.3
pychefrevival==0.3.1
requests==2.28.1
six==1.16.0
urllib3==1.26.9

Anything else we need to know?:

• Output of grype version:

Application:          grype
Version:              0.47.0
Syft Version:         v0.54.0
BuildDate:            2022-08-17T20:00:45Z
GitCommit:            08b4ef493b36a65f6149c9092d083d5d57540cdc
GitDescription:       v0.47.0
Platform:             linux/amd64
GoVersion:            go1.18.5
Compiler:             gc
Supported DB Schema:  4

• OS (e.g: cat /etc/os-release or similar):

This is being run on a GitLab runner within a Docker image we create for Grype using alpine:3.16

[isuftin]

I think this is related to #244

[willmurphyscode]

Hi @isuftin, I'm no longer able to reproduce this. What I've tried:

• making a Dockerfile just as in your original post (but adding --platform=linux/amd64 on the FROM line, since I am on M1 mac), and a requirements.txt just in case, and running docker build . -t grype898 in that directory. The apt-get install command fails, even after a bit of troubleshooting. Maybe some packages are no longer available?
• making an empty ruby project that depends on the vault gem directly:

Gemfile

source 'https://rubygems.org'
gem 'vault', '0.17.0'

But in this directory, running bundle install, and then grype dir:. prints No vulnerabilities found.

If you believe this is still an issue, would you mind providing a link to an artifact that would let us reproduce it, such as a link to a public container image or repository that exhibits the false positive, or maybe a new Dockerfile or script that produces such an artifact? Thanks!

[willmurphyscode]

Hi @isuftin, thanks for reporting this issue! I haven't been able to reproduce it, so I'm marking it as closed. (Also, it seems possible it's a duplicate of #244). If you believe we should be investigating this issue specifically, would you mind providing steps on how we can reproduce it? Thanks!