Listing the image that is being scanned

Grype
1

Hi

I testing rivy and grype.

Running grype . --by-cve in my Java home folder both reported a dependency problem. I fixed the pom.xml file, re-compiled, and re-executed both trivy and grype. Only trivy reported the problem as fixed.

Is there a way to list which image or file that grype is scanning? I tried grype -v . –by-cve but I cannot see any output specifying what file grype is scanning. Which makes it hard to find out what tasks I need to execute on the Java side to make sure that my Java project has updated the file that grype is scanning.

Am i missing something, or should this be a feature request?

Cheers,
Vegard :slight_smile:

2

Hi @vbakke, thanks for posting!

It’s hard to tell what is happening without more information than this. It’s possible an older JAR was still around and didn’t get removed, and Grype finds that actually file?

When you run grype . you are scanning the current directory. Do you mean that you want Grype to report the locations of affected packages when it finds vulnerabilities? If you grype -o json . the JSON output will contain some location information.

Did that answer your questions? If you’d like to provide more information about the first question, please feel free. Sometimes people make or find a small image or git repo that reproduces the issue and that they are comfortable sharing.

3

Thank you for your reply. The grype . command does more than just scanning the current directory. Because I was standing in the root folder of the source code projects.

So grype is traversing the hierarchy in a clever way, finding the jar/war/ear file. It definitely found a file that was not updated. That is why I was expecting the --verbose parameter to list the path and filename for the image it ended up scanning. Because the magic is not self evident.

Without knowing which file grype scans, it is difficult to be confident about what java command to run to ensures that the correct jar file is up-to-date… :slight_smile:

4

You’re right, grype . will search from the current director recursively. Also, grype (via syft) can unzip jars and recursively search within them. That might be the magic you’re seeing :slight_smile:

The output from -o json contains the locations. (In general, the default output is a summary, the complete output is obtained by -o json.)

For example, you could do this (assuming you have jq installed, which I highly recommend):

grype --by-cve . -o json | jq '.matches[] | {cve: .vulnerability.id, purl: .artifact.purl, locations: .artifact.locations }'

scanning one directory on my system I see this output from that command:

{
  "cve": "CVE-2016-1000027",
  "purl": "pkg:maven/org.springframework/spring-web@5.3.37",
  "locations": [
    {
      "path": "/spring-web-5.3.37.jar",
      "accessPath": "/spring-web-5.3.37.jar",
      "annotations": {
        "evidence": "primary"
      }
    }
  ]
}
{
  "cve": "CVE-2024-38820",
  "purl": "pkg:maven/org.springframework/spring-web@5.3.37",
  "locations": [
    {
      "path": "/spring-web-5.3.37.jar",
      "accessPath": "/spring-web-5.3.37.jar",
      "annotations": {
        "evidence": "primary"
      }
    }
  ]
}
{
  "cve": "CVE-2024-38809",
  "purl": "pkg:maven/org.springframework/spring-web@5.3.37",
  "locations": [
    {
      "path": "/spring-web-5.3.37.jar",
      "accessPath": "/spring-web-5.3.37.jar",
      "annotations": {
        "evidence": "primary"
      }
    }
  ]
}

Does that answer your question?