Grype refers to file in repo after nextjs upgrade

WTP · November 25, 2024, 10:03am

Before the next.js 15 upgrade, running grype on a repo would show installed versions for all components. Since upgrading next.js to 15, we now see file paths in the output instead, and FIXED-IN showing older versions than we have installed.

What’s the best way to go about diagnosing this behaviour and returning to our previous output?

The changes I can see to package.json and yarn.lock were version number changes - there were no changes to how we source dependencies.

This is using Grype 0.85.0

After the upgrade

NAME                 INSTALLED                     FIXED-IN           TYPE  VULNERABILITY        SEVERITY
@auth0/nextjs-auth0  file:../..                    1.4.2              npm   GHSA-954c-jjx6-cxv7  High
@auth0/nextjs-auth0  file:../..                    1.6.2              npm   GHSA-2mqv-4j3r-vjvp  Medium
@eslint/plugin-kit   0.2.2                         0.2.3              npm   GHSA-7q7g-4xm8-89cq  Low
cross-spawn          7.0.3                         7.0.5              npm   GHSA-3xgq-45jj-v275  High
next                 file:../../node_modules/next  5.1.0              npm   GHSA-5vj8-3v2h-h38v  High
next                 file:../../node_modules/next  11.1.3             npm   GHSA-25mp-g6fv-mqxx  High
next                 file:../../node_modules/next  11.1.0             npm   GHSA-vxf5-wxwp-m7g9  Medium
next                 file:../../node_modules/next  9.3.2              npm   GHSA-fq77-7p7r-83rj  Medium
next                 file:../../node_modules/next  13.4.20-canary.13  npm   GHSA-c59h-r6p8-q9wc  Low

Before the upgrade

NAME         INSTALLED  FIXED-IN        TYPE       VULNERABILITY        SEVERITY
cross-spawn  7.0.3      7.0.5           npm        GHSA-3xgq-45jj-v275  High

willmurphy · November 25, 2024, 5:30pm

Hi @WTP! Thanks for the report. What version of nextjs are you running? I used create-next-app@15.0.3 to create a next app and ran Grype and Syft on the directory, and all my versions look OK. I’m going to ask a few differences to try and figure out why we’re getting different results.

Are you using nextjs 15.0.3, or maybe an earlier 15? (I also tried 15.0.0 with the same result though.)
Do you have anything non-default in your Grype config? (a diff of grype config and grype config --load should tell you this).
Is there a step I’m missing? Maybe I need to make a non-default choice in create-next-app or install some particular package?
Is there a public artifact (maybe some repo that’s already open source) that exhibits the bug already when you run Grype on it?

Thanks again for the report! It sounds like something changed in NextJS between versions, but we’d still like to adjust our tools to detect these artifacts correctly.

WTP · November 26, 2024, 8:43am

Thanks for the reply.

We’re on next 15.0.3.

The only difference between grype config and grype config --load is that grype config has profile: '' and grype config --load has profile: 'none'

I’ll try and create a repro of the issue and publish something that shows it, but right now we’ve just been working on our main app.

WTP · November 26, 2024, 9:11am

Hi again @willmurphy - I now have a repro at GitHub - WTPOptAxe/grype-dep-repro: Demonstrate dependency display in grype with auth0/nextjs-auth0

It looks like this is triggered by the addition of the nextjs-auth0 dep to package.json as "@auth0/nextjs-auth0": "^4.0.0-beta.7",

Why are we using a beta you ask? Auth0 chose not to support next.js 15 in their stable branch.

To reproduce this manually, you can simply do

yarn create next-app grypetest --no-install
cd grypetest
corepack enable
yarn set version stable
yarn install
grype . # all good at this point
# add `"@auth0/nextjs-auth0": "^4.0.0-beta.7",` to package.json
yarn install
grype . # unexpected output now

willmurphy · November 26, 2024, 12:56pm

Thanks for the repo and repro!

I’m able to repro this issue in the following way:

git clone git@github.com:WTPOptAxe/grype-dep-repro.git
cd grype-dep-repro
yarn install
grype .

willmurphy · November 26, 2024, 3:32pm

It looks like the underlying issue is probably in Syft:

❯ syft -q . | grep -e NAME -e 'file:' -e '^next' -e '^@auth0'
NAME                                          VERSION                            TYPE
@auth0/nextjs-auth0                           4.0.0-beta.2                       npm
@auth0/nextjs-auth0                           4.0.0-beta.8                       npm
@auth0/nextjs-auth0                           file:../..                         npm
@types/node@file:../../node_modules/          types/node                         npm
@types/react-dom@file:../../node_modules/     types/react-dom                    npm
@types/react@file:../../node_modules/         types/react                        npm
next                                          15.0.2                             npm
next                                          15.0.3                             npm                     (+1 duplicate)
next                                          file:../../node_modules/next       npm
next-intl                                     3.25.0                             npm
react                                         file:../../node_modules/react      npm
react-dom                                     file:../../node_modules/react-dom  npm

I think this is probably the same bug as Duplicate entry in SBOM with local NPM dependencies · Issue #2559 · anchore/syft · GitHub

There’s an auth0 package JSON that has local references as dependencies (node_modules/@auth0/nextjs-auth0/e2e/test-app/package.json):

{
  "name": "test-app",
  "version": "0.1.0",
  "private": true,
  "scripts": {
    "dev": "next dev --turbopack",
    "build": "next build",
    "start": "next start",
    "lint": "next lint"
  },
  "dependencies": {
    "next": "file:../../node_modules/next",
    "react": "file:../../node_modules/react",
    "react-dom": "file:../../node_modules/react-dom",
    "@auth0/nextjs-auth0": "file:../../"
  },
  "devDependencies": {
    "typescript": "^5",
    "@types/node": "file:../../node_modules/@types/node",
    "@types/react": "file:../../node_modules/@types/react",
    "@types/react-dom": "file:../../node_modules/@types/react-dom",
    "postcss": "^8",
    "tailwindcss": "^3.4.1",
    "eslint": "^8",
    "eslint-config-next": "15.0.3"
  }
}

I’ll put a link this thread on that Syft issue. Please follow that issue for updates and fixes. Thanks for the great bug report!

WTP · November 26, 2024, 7:38pm

Thanks so much for the dive and the followup - I’ll watch the github thread. Really appreciate the effort thanks!

Topic		Replies	Views
Grype is getting more fix info soon Grype	3	95	October 15, 2024
Discussion about vulnerability fixed information Grype discuss	5	32	October 11, 2024
Grype is showing all critical vulnerabilities even in latest gitlab-ce 17.5.0 docker image are not fixed :( Grype discuss	6	40	October 24, 2024
Grype reporting vulns for unknown versions Grype	14	69	October 15, 2024
Configuring Grype to use only NVD as a source Grype	3	50	November 11, 2024

Grype refers to file in repo after nextjs upgrade

Related topics