Is it possible to surface where grype is uncovering a vulnerability when doing filesystem scans? For example, if I go to a repo and do grype . I might get an output like:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS% RISK
golang.org/x/crypto v0.26.0 0.31.0 go-module GHSA-v778-237x-gjrc Critical 96.82 31.8
However, the repo doesnβt even use golang. After much trial and error I figured out that there is a compiled go binary in node_modules called esbuild and thatβs where grype is surfacing this vulnerability, but is there a way to have grype output that somehow? (i.e. print out that that particular vulnerability was surfaced from node_modules/.../esbuild/...?
Thereβs also βGrype Explainβ - essentially pipe the json output from grype back into grype (yes, we know this is a bit convoluted ) and ask it to explain the vuln, hereβs an example:
Now letβs get that CVE βCVE-2022-37434β explained:
$ grype alpine:3.11 -o json | grype explain --id CVE-2022-37434
[0000] WARN grype explain is a prototype feature and is subject to change
β Loaded image alpine:3.11
β Parsed image sha256:1fd5850ccf13c153697413d51bb0665c03202aad5314c38ca7bf14a8250f6463
β Cataloged contents fea1c89102f105c51080dd429f2d5231ed426359072a79c712c65644fdf0acb8
βββ β Packages [14 packages]
βββ β File metadata [62 locations]
βββ β Executables [16 executables]
βββ β File digests [62 files]
β Scanned for vulnerabilities [59 vulnerability matches]
βββ by severity: 10 critical, 19 high, 26 medium, 4 low, 0 negligible
βββ by status: 1 fixed, 58 not-fixed, 0 ignored
CVE-2022-37434 from alpine:distro:alpine:3.11 (Critical)
Matched packages:
- Package: zlib, version: 1.2.11-r3
PURL: pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.13
Match explanation(s):
- alpine:distro:alpine:3.11:CVE-2022-37434 Direct match (package name, version, and ecosystem) against zlib (version 1.2.11-r3).
- alpine:distro:alpine:3.11:CVE-2022-37434 Indirect match; this CVE is reported against zlib (version 1.2.11-r3), the upstream of this apk package.
Locations:
- /lib/apk/db/installed
URLs:
- https://www.cve.org/CVERecord?id=CVE-2022-37434
In the above case, it matches a package name, but it could equally return a specific file on the filesystem. I hope I understood your question. Feel free to continue the conversation if not