Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rust-crate false-positive: CVE-2019-3826 #902

Closed
lclc opened this issue Aug 26, 2022 · 2 comments
Closed

rust-crate false-positive: CVE-2019-3826 #902

lclc opened this issue Aug 26, 2022 · 2 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog ecosystem:rust relating to the rust ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching false-positive

Comments

@lclc
Copy link

lclc commented Aug 26, 2022

What happened:

False-positive for the following rust-crate:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
prometheus 0.13.1 2.7.1 rust-crate CVE-2019-3826 Medium

What you expected to happen:

0.13.1 is the latest version of that crate. See https://crates.io/crates/prometheus

grype seems to mix up the version of Prometheus with the version of the crate.

Environment:

Output of grype version:
Application: grype
Version: 0.48.0
Syft Version: v0.54.0
BuildDate: 2022-08-24T15:42:08Z
GitCommit: https://github.com/anchore/grype/commit/e9df59b4b1bd56c370500b5072eeace3ab51f8b3
GitDescription: v0.48.0
@lclc lclc added the bug Something isn't working label Aug 26, 2022
@spiffcs spiffcs added ecosystem:rust relating to the rust ecosystem false-positive labels Aug 29, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Aug 29, 2022

This looks like it's another overlap caused by the naming convention.

https://crates.io/crates/prometheus <-- Since the crate's name is prometheus it matches against upstream prometheus
https://github.com/prometheus/prometheus

These are hard to tune against these, but we're working on finding ways to invalidate these overlaps from being reported based on a couple of factors.

It's not something we want to maintain at the app layer though which is why you'll probably see some future schema updates in the grype db to protect against this. That way we don't have to cut a new grype release for every overlap/fp we mitigate.

@willmurphyscode willmurphyscode added the false-positive:cpe This issue is a report of a false positive cause by CPE matching label Jun 7, 2023
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label May 15, 2024
@willmurphyscode
Copy link
Contributor

Hi @lclc!

This was fixed by the same change I mentioned at #901 (comment)

Please let us know if we missed something. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog ecosystem:rust relating to the rust ecosystem false-positive:cpe This issue is a report of a false positive cause by CPE matching false-positive
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lclc @willmurphyscode @spiffcs