I was wondering if there was a way to configure Grype to pull from just the NVD as a source. I used in my yaml file:
GNU nano 7.2 /home/rco/.grype.yaml
# grype configuration file
vulnerability:
provider:
priority:
- nvd
- github
- osv
unmarshalers:
nvd:
enabled: true
github:
enabled: true
osv:
enabled: true
anchore:
enabled: true
redhat:
enabled: true
id-matcher:
preferred-id-prefixes:
- cve
- ghsa
- osv
match:
java:
using-cpes: true
python:
using-cpes: true
javascript:
using-cpes: true
ruby:
using-cpes: true
dotnet:
using-cpes: true
golang:
using-cpes: true
php:
using-cpes: true
stock:
using-cpes: true
When it pulls the vulnerabilities, I get a response below in my results:
ws 7.4.6 7.5.10 npm GHSA-3h5v-q93c-6h6q High
When you go to the GITHUB for this GHSA, it links it to CVE-2024-37890, which states: This vulnerability is currently awaiting analysis.
I was wondering instead of returning the GHSA that if there was a way to have it return the CVE instead of the GHSA, or even include the GHSA as a supplemental ID instead of the primary for this vulnerability?
Any help would be greatly appreciated.
Hi @Emiliano_Martinez! Thanks for the question.
Does --by-cve
do what you need?
--by-cve
orients the output around the CVE ID of each match, as opposed to the default which uses the ID of the source we used for the match, for example GHSA. This affects the display ID, but it doesn’t affect the matching criteria, so it might not be what you’re looking for.
While you’re here, can you help me understand why you want to prefer NVD data over other data sources? The data at ws affected by a DoS when handling a request with many HTTP headers · CVE-2024-37890 · GitHub Advisory Database · GitHub has been review by GitHub, even if NVD hasn’t gotten around to reviewing this vulnerability yet. “awaiting analysis” just means that NVD haven’t review it yet, not that they think it’s unimportant or invalid.
We’ve generally found that, because CPE is a bit of a lossy format (for example, it doesn’t encode package type), NVD matching criteria are actually much worse than GHSA’s for package ecosystems that GHSA supports. Does your experience differ? Is there a reason you have to prefer NVD data?
I don’t believe right now there’s a config switch to completely turn off all datasources besides NVD. The using-cpes: true
blocks in your config above trun on NVD CPE matching, but they don’t turn off other sorts of matching.
The reason why is I am trying to track the vulnerabilities to the NVD due to some of the GHSA that I have seen was marked under a different category compared to NIST, and I am trying to align the vulnerabilities to the NIST categorization based on the vulnerability. For example GHSA-gjcw-v447-2w7q:
Forgeable Public/Private Tokens in jws
Is tied to CVE-2016-1000223 which is reserved by an organization and doesnt have a score listed on NVD.
There are some other examples of where the GHSA would have them at a different severity to NVD and vice versa.
You can achieve this by building your own Grype database and limiting the providers to just NVD. The workflow to get there isn’t documented well, but it can be done and works reliably.