Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: CVE-2021-40525, CVE-2021-40110:, CVE-2022-28220, CVE-2021-38542, CVE-2021-40111, CVE-2022-45935 #1138

Closed
sekveaja opened this issue Feb 21, 2023 · 2 comments
Closed

False Positive: CVE-2021-40525, CVE-2021-40110:, CVE-2022-28220, CVE-2021-38542, CVE-2021-40111, CVE-2022-45935 #1138

sekveaja opened this issue Feb 21, 2023 · 2 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive

Comments

@sekveaja
Copy link

What happened:

Issue with mime4j-storage-0.8.3, mime4j-core-0.8.3 and mime4j-dom-0.8.3,

"package_path": "/opt/jboss/keycloak/lib/lib/main/org.apache.james.apache-mime4j-storage-0.8.3.jar"

"package_path": "/opt/jboss/keycloak/lib/lib/main/org.apache.james.apache-mime4j-core-0.8.3.jar",

"package_path": "/opt/jboss/keycloak/lib/lib/main/org.apache.james.apache-mime4j-dom-0.8.3.jar",

Grype is reported to https://nvd.nist.gov/vuln/detail/CVE-2021-40525

which is for  james version 3.6.1
https://nvd.nist.gov/vuln/detail/CVE-2021-40525](https://nvd.nist.gov/vuln/detail/CVE-2021-40525

It is not the same package.

Environment:
Anchore Grype version: 0.56.0

OS type running in the current environment i.e. (cat /etc/os-release)

~> cat /etc/os-release
NAME="SLES"
VERSION="15-SP3"
VERSION_ID="15.3"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp3"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Feb 21, 2023
@mamccorm
Copy link

mamccorm commented Oct 5, 2023

Another CVE with the same root cause as reported here:
CVE-2023-26269

@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label May 15, 2024
@willmurphyscode
Copy link
Contributor

I believe this false positive is fixed by the switch from CPE to PURL based matching for Java ecosystems (see https://anchore.com/blog/say-goodbye-to-false-positives/).

Testing:

  1. Download the mentioned jars in a temp directory
  2. Run syft . to confirm that we find all the jars
  3. Run grype . to see whether we still find the vulnerabilities
$ syft .
NAME                   VERSION  TYPE
apache-mime4j-core     0.8.3    java-archive
apache-mime4j-dom      0.8.3    java-archive
apache-mime4j-storage  0.8.3    java-archive
mutiny                 1.1.2    java-archive
$ grype . 
NAME                   INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY
apache-mime4j-core     0.8.3      0.8.10    java-archive  GHSA-jw7r-rxff-gv24  Medium
apache-mime4j-storage  0.8.3      0.8.9     java-archive  GHSA-q84x-3476-8ff2  Medium

Both those GHSA seem to be true positives. None of the CVEs mentioned in the original report are still reported, so I'm closing this issue, but please let me know if I've missed something.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tgerla @willmurphyscode @mamccorm @sekveaja