Known vulnerabilities not in Chainguard / Wolfi tracker?

Looking at the structure of https://packages.wolfi.dev/os/security.json or chainguard security.json it seems that CVEs are only published for versions where there is a fix available.

Example: Chainguard Images - Advisories - CVE-2023-29406 shows that go-1.21 package is vulnerable. but the security.json consumed by grype doesn’t reflect this.

Is my understanding correct that grype won’t reflect these CVEs? This also holds true for when status is one of Under investigation, Pending upstream fix or Fix not planned as seen on chainguard advisories.

@willmurphy @kzantow ?

Hi @ishan! Great question!

For distros that use APK packages (Alpine, Wolfi, Chainguard), we search NVD’s CPE data for vulnerabilities, and then use the secdb data to rule out vulnerabilities that have been fixed. You can see that code here: grype/grype/db/v5/matcher/apk/matcher.go at 66197338303a17cf6ba80d71a2c1d952e06ec68d · anchore/grype · GitHub

Additionally, for package types that are covered by GitHub Security Advisories (for example, if the APK package includes a Ruby gem or Python package), Grype will search GitHub security advisory data for vulnerabilities about those packages.

Does that answer your question?

Yes for the most part, just one more followup question how does CPE based matching work for custom chainguard / wolfi packages? Like go-1.21 is a custom wolfi package, how does grype know the CPE to match for it?

If you run Syft on the image containing the artifact in question (with JSON output format, e.g. syft <image-name> -o json), it will show you the CPEs that it has generated or otherwise found for the package. These are the CPEs that Grype will use to match against.