While testing i found couple of doubts.
a) I have generated SBOM using syft, for analysis i have used dependency tracker and for component fixed status i tried to use grype.
b) I see grype is giving more CVEs but some are missing which are listed in dependency tracker.
Example : package name is perl-base cpe found in syft is cpe:2.3:a:perl-base:perl-base:5.32.1-4+deb11u2:::::::* and cve is CVE-2023-47038, same cve is not found in dependency tracker.
fixed version for the component in grype : 5.32.1-4+deb11u3
in nvd cpe is : “cpe:2.3:a:perl:perl:5.34.0:::::::*”
Here my question is on what basis it is getting fixed version as it is not matches in nvd, is this searching in CVE-2023-47038 and providing results?
Thanks in advance, Anvitha
Hi @anvitha_haviligi
First, to answer your question about where Grype gets vulnerability data, in addition to NVD, Grype gets data from many common linux distros from the security feed provided by the distro maintainers (this is true for Alpine, Amazon Linux, Chainguard, Debian, Mariner, Oracle, RedHat, SUSE, Ubuntu, and Wolfi).
If you want to know more about a given vulnerability in Grype, you can use grype db search:
$ grype db search CVE-2023-47038 | grep 5.32.1-4+deb11u3
CVE-2023-47038 perl debian:distro:debian:11 < 5.32.1-4+deb11u3 (deb)
So we got that fixed in version from debian, and Grype used the debian info for the match because Syft detected the distro to be debian.
Does that answer your question?
1 Like
Thanks a lot @willmurphy, Yes it answered my question.
1 Like