Grype getting more fix info soon
TL;DR
Later this week, certain Grype matches will start showing more fix info (fixed state and fixed-in versions). You can see the PR here. Thanks @jneate for the awesome contribution!
Grype always tries to match packages against a more specific vulnerability source than NVD, for example GHSA or distro-specific vulnerability feeds. These sources usually have fix information, which Grype displays. Now, Grype will also try to display fix information when it has to fall back to matching against NVD data.
Where is the new fix information coming from?
Grype will start inferring fix information from version ranges in NVD. So if NVD says, “versions less than 0.9.12 are vulnerable,” Grype will infer that this means “version 0.9.12 has a fix.”
Why didn’t Grype always do this?
Grype started doing this because Grype now has the ability to override data from upstream NVD before building the database.
Before Grype had that capability, if we found a record where the assumption < 0.9.12 means “fixed in 0.9.12” was wrong, we would have had no way to address the problem. But now we have the ability to override NVD data in Grype’s database, so if this feature introduces bad fix info, we can fix the fix info.
What kinds of matches will start getting the new fix info?
Before this change, matches on binary packages including matches against the JVM itself, and matches on language ecosystems besides dart, dotnet, go, java, javascript, php, python, ruby, rust, and swift, did not have fix information; now they sometimes will.
What do I need to do to get this?
Upgrade to the latest Grype (v0.82.0) and let Grype auto-update its database after fix: add nvd fix version when versionEndExcluding provided by jneate · Pull Request #112 · anchore/grype-db · GitHub is merged.
What do I do if I have feedback?
You can post it here!