Have you tried grype explain?
For example, letβs take an old node image:
Make the SBOM
$ syft node:20.16.0-bullseye -o syft-json=sbom_node20.16.0-bullseye.json
β Loaded image node:20.16.0-bullseye
β Parsed image sha256:b68d497309d66f8e2a23c53b5e01f88fa22a3e0031ea445ea7cb7a42492ccb08
β Cataloged contents b1932f3cdcea2604f37e65697557135380ff28032da4bbf2db15126b20f2d4f0
βββ β Packages [618 packages]
βββ β File digests [19,240 files]
βββ β File metadata [19,240 locations]
βββ β Executables [1,309 executables]
Build a vulnerability report
Write to a json file and a table to the screen.
$ grype sbom_node20.16.0-bullseye.json -o json=vuln_node20.16.0-bullseye.json -o table | grep Critical | head -n 5
β Scanned for vulnerabilities [1203 vulnerability matches]
βββ by severity: 28 critical, 447 high, 864 medium, 69 low, 845 negligible (385 unknown)
βββ by status: 408 fixed, 2230 not-fixed, 1435 ignored
curl. 7.74.0-1.3+deb11u12 (won't fix) deb CVE-2023-23914 Critical
git. 1:2.30.2-1+deb11u2 1:2.30.2-1+deb11u3 deb CVE-2024-32002 Critical
git-man 1:2.30.2-1+deb11u2 1:2.30.2-1+deb11u3 deb CVE-2024-32002 Critical
libaom0 1.0.0.errata1-3+deb11u1 1.0.0.errata1-3+deb11u2 deb CVE-2024-5171
Critical
libaom0 1.0.0.errata1-3+deb11u1 (won't fix) deb CVE-2023-6879 Critical
Use Grype Explain on one of the issues
$ grype sbom_node20.16.0-bullseye.json -o json | grype explain --id=CVE-2024-32002
[0000] WARN grype explain is a prototype feature and is subject to change
β Scanned for vulnerabilities [1203 vulnerability matches]
βββ by severity: 28 critical, 447 high, 864 medium, 69 low, 845 negligible (385 unknown)
βββ by status: 408 fixed, 2230 not-fixed, 1435 ignored
CVE-2024-32002 from nvd:cpe (Critical)
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
Related vulnerabilities:
- debian:distro:debian:11 CVE-2024-32002 (Critical)
Matched packages:
- Package: git, version: 1:2.30.2-1+deb11u2
PURL: pkg:deb/debian/git@1%3A2.30.2-1%2Bdeb11u2?arch=arm64&distro=debian-11
Match explanation(s):
- debian:distro:debian:11:CVE-2024-32002 Direct match (package name, version, and ecosystem) against git (version 1:2.30.2-1+deb11u2).
Locations:
- /usr/share/doc/git/copyright
- /var/lib/dpkg/info/git.conffiles
- /var/lib/dpkg/info/git.list
- /var/lib/dpkg/info/git.md5sums
- /var/lib/dpkg/info/git.postinst
- /var/lib/dpkg/info/git.postrm
- /var/lib/dpkg/info/git.preinst
- /var/lib/dpkg/info/git.prerm
- /var/lib/dpkg/status
- Package: git-man, version: 1:2.30.2-1+deb11u2
PURL: pkg:deb/debian/git-man@1%3A2.30.2-1%2Bdeb11u2?arch=all&distro=debian-11&upstream=git
Match explanation(s):
- debian:distro:debian:11:CVE-2024-32002 Indirect match; this CVE is reported against git (version 1:2.30.2-1+deb11u2), the origin of this deb package.
Locations:
- /usr/share/doc/git-man/copyright
- /var/lib/dpkg/info/git-man.list
- /var/lib/dpkg/info/git-man.md5sums
- /var/lib/dpkg/status
URLs:
- https://nvd.nist.gov/vuln/detail/CVE-2024-32002
- https://security-tracker.debian.org/tracker/CVE-2024-32002
Is that what youβre after?