How to tell where vulnerability is in large repo?

Is it possible to surface where grype is uncovering a vulnerability when doing filesystem scans? For example, if I go to a repo and do grype . I might get an output like:

NAME                         INSTALLED            FIXED-IN                      TYPE       VULNERABILITY        SEVERITY  EPSS%  RISK  
golang.org/x/crypto          v0.26.0              0.31.0                        go-module  GHSA-v778-237x-gjrc  Critical  96.82   31.8

However, the repo doesn’t even use golang. After much trial and error I figured out that there is a compiled go binary in node_modules called esbuild and that’s where grype is surfacing this vulnerability, but is there a way to have grype output that somehow? (i.e. print out that that particular vulnerability was surfaced from node_modules/.../esbuild/...?

1 Like

try -o json it will provide you more info

Hi @RPGillespie6 - great question!

There’s also β€˜Grype Explain’ - essentially pipe the json output from grype back into grype (yes, we know this is a bit convoluted :slight_smile: ) and ask it to explain the vuln, here’s an example:

$ grype alpine:3.11
 βœ” Vulnerability DB                [updated]
 βœ” Pulled image
 βœ” Loaded image alpine:3.11
 βœ” Parsed image sha256:1fd5850ccf13c153697413d51bb0665c03202aad5314c38ca7bf14a8250f6463
 βœ” Cataloged contents fea1c89102f105c51080dd429f2d5231ed426359072a79c712c65644fdf0acb8
   β”œβ”€β”€ βœ” Packages                        [14 packages]
   β”œβ”€β”€ βœ” Executables                     [16 executables]
   β”œβ”€β”€ βœ” File digests                    [62 files]
   └── βœ” File metadata                   [62 locations]
 βœ” Scanned for vulnerabilities     [59 vulnerability matches]
   β”œβ”€β”€ by severity: 10 critical, 19 high, 26 medium, 4 low, 0 negligible
   └── by status:   1 fixed, 58 not-fixed, 0 ignored
NAME          INSTALLED   FIXED-IN   TYPE  VULNERABILITY   SEVERITY  EPSS%  RISK
zlib          1.2.11-r3   1.2.11-r4  apk   CVE-2022-37434  Critical  99.74   87.1

Now let’s get that CVE β€œCVE-2022-37434” explained:

$ grype alpine:3.11 -o json | grype explain --id CVE-2022-37434
[0000]  WARN grype explain is a prototype feature and is subject to change
 βœ” Loaded image alpine:3.11
 βœ” Parsed image sha256:1fd5850ccf13c153697413d51bb0665c03202aad5314c38ca7bf14a8250f6463
 βœ” Cataloged contents fea1c89102f105c51080dd429f2d5231ed426359072a79c712c65644fdf0acb8
   β”œβ”€β”€ βœ” Packages                        [14 packages]
   β”œβ”€β”€ βœ” File metadata                   [62 locations]
   β”œβ”€β”€ βœ” Executables                     [16 executables]
   └── βœ” File digests                    [62 files]
 βœ” Scanned for vulnerabilities     [59 vulnerability matches]
   β”œβ”€β”€ by severity: 10 critical, 19 high, 26 medium, 4 low, 0 negligible
   └── by status:   1 fixed, 58 not-fixed, 0 ignored
CVE-2022-37434 from alpine:distro:alpine:3.11 (Critical)

Matched packages:
    - Package: zlib, version: 1.2.11-r3
      PURL: pkg:apk/alpine/zlib@1.2.11-r3?arch=aarch64&distro=alpine-3.11.13
      Match explanation(s):
          - alpine:distro:alpine:3.11:CVE-2022-37434 Direct match (package name, version, and ecosystem) against zlib (version 1.2.11-r3).
          - alpine:distro:alpine:3.11:CVE-2022-37434 Indirect match; this CVE is reported against zlib (version 1.2.11-r3), the upstream of this apk package.
      Locations:
          - /lib/apk/db/installed
URLs:
    - https://www.cve.org/CVERecord?id=CVE-2022-37434

In the above case, it matches a package name, but it could equally return a specific file on the filesystem. I hope I understood your question. Feel free to continue the conversation if not :+1:

Thanks, very helpful, worked like a charm.

2 Likes