Matching vulnerabilities using upstream without versions

Grype
1

Hello!
I am scanning an ubuntu VM, and reviewing the findings.
Lately I remember grype was improved and now packages without version are not being queried by default to reduce possible FP.
However, I suspect when we query “upstream” sometimes version is not being extracted, and therefore lots of CVEs are returned.
moreover, in lots of the cases of the matches is “direct match”, and all the other artifacts which are related to the same vulnerability are transitive dependencies, and indirect match.
it causes duplicates CVEs on artifacts which already depended on each other (if you upgrade the father, you solve all the CVEs)

Please see the below example:
the main artifact is “aws-linux” which has a CVE named “CVE-2024-53087” as specified below:

      "artifact": {
        "id": "24cc334d895db489",
        "name": "linux-aws",
        "version": "6.8.0-1019.21",
        "type": "deb",
        "locations": [
          {
            "path": "/usr/share/doc/linux-aws/copyright"
          },
          {
            "path": "/var/lib/dpkg/info/linux-aws.md5sums"
          },
          {
            "path": "/var/lib/dpkg/status"
          }
        ],
        "language": "",
        "licenses": [
          "GPL"
        ],
        "cpes": [
          "cpe:2.3:a:linux-aws:linux-aws:6.8.0-1019.21:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux-aws:linux_aws:6.8.0-1019.21:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux_aws:linux-aws:6.8.0-1019.21:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux_aws:linux_aws:6.8.0-1019.21:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux:linux-aws:6.8.0-1019.21:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux:linux_aws:6.8.0-1019.21:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:deb/ubuntu/linux-aws@6.8.0-1019.21?arch=amd64&upstream=linux-meta-aws&distro=ubuntu-24.04",
        "upstreams": [
          {
            "name": "linux-meta-aws"
          }
        ]
      }
    },
      "vulnerability": {
        "id": "CVE-2024-53087",
        "dataSource": "https://ubuntu.com/security/CVE-2024-53087",
        "namespace": "ubuntu:distro:ubuntu:24.04",
        "severity": "Medium",
        "urls": [
          "https://ubuntu.com/security/CVE-2024-53087"
        ],
        "cvss": [],
        "fix": {
          "versions": [],
          "state": "not-fixed"
        },
        "advisories": []
      },
      "relatedVulnerabilities": [
        {
          "id": "CVE-2024-53087",
          "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-53087",
          "namespace": "nvd:cpe",
          "severity": "Unknown",
          "urls": [
            "https://git.kernel.org/stable/c/2f92b77a8ce043fbda2664d9be4b66bdc57f67b7",
            "https://git.kernel.org/stable/c/af797b831d8975cb4610f396dcb7f03f4b9908e7"
          ],
          "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix possible exec queue leak in exec IOCTL\n\nIn a couple of places after an exec queue is looked up the exec IOCTL\nreturns on input errors without dropping the exec queue ref. Fix this\nensuring the exec queue ref is dropped on input error.\n\n(cherry picked from commit 07064a200b40ac2195cb6b7b779897d9377e5e6f)",
          "cvss": []
        }
      ],
      "matchDetails": [
        {
          "type": "exact-direct-match",
          "matcher": "dpkg-matcher",
          "searchedBy": {
            "distro": {
              "type": "ubuntu",
              "version": "24.04"
            },
            "namespace": "ubuntu:distro:ubuntu:24.04",
            "package": {
              "name": "linux-aws",
              "version": "6.8.0-1019.21"
            }
          },
          "found": {
            "versionConstraint": "none (deb)",
            "vulnerabilityID": "CVE-2024-53087"
          }
        }
      ],

In another case, the artifact is “linux-tools-common” and has a version, so i assume it needs to find it directly (since the package does exist in the DB as is), however after that I can see another field named “package” which indicates the package is “linux” and contains a version (the same as linux-tools-common)

and moreover, I see upstream without a version.

so my question is, where is this CVE is coming from? the upstream? the package?

      "vulnerability": {
        "id": "CVE-2024-53087",
        "dataSource": "https://ubuntu.com/security/CVE-2024-53087",
        "namespace": "ubuntu:distro:ubuntu:24.04",
        "severity": "Medium",
        "urls": [
          "https://ubuntu.com/security/CVE-2024-53087"
        ],
        "cvss": [],
        "fix": {
          "versions": [],
          "state": "not-fixed"
        },
        "advisories": []
      },
      "relatedVulnerabilities": [
        {
          "id": "CVE-2024-53087",
          "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-53087",
          "namespace": "nvd:cpe",
          "severity": "Unknown",
          "urls": [
            "https://git.kernel.org/stable/c/2f92b77a8ce043fbda2664d9be4b66bdc57f67b7",
            "https://git.kernel.org/stable/c/af797b831d8975cb4610f396dcb7f03f4b9908e7"
          ],
          "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix possible exec queue leak in exec IOCTL\n\nIn a couple of places after an exec queue is looked up the exec IOCTL\nreturns on input errors without dropping the exec queue ref. Fix this\nensuring the exec queue ref is dropped on input error.\n\n(cherry picked from commit 07064a200b40ac2195cb6b7b779897d9377e5e6f)",
          "cvss": []
        }
      ],
      "matchDetails": [
        {
          "type": "exact-indirect-match",
          "matcher": "dpkg-matcher",
          "searchedBy": {
            "distro": {
              "type": "ubuntu",
              "version": "24.04"
            },
            "namespace": "ubuntu:distro:ubuntu:24.04",
            "package": {
              "name": "linux",
              "version": "6.8.0-49.49"
            }
          },
          "found": {
            "versionConstraint": "none (deb)",
            "vulnerabilityID": "CVE-2024-53087"
          }
        }
      ],
      "artifact": {
        "id": "07d8f953b8bfcc87",
        "name": "linux-tools-common",
        "version": "6.8.0-49.49",
        "type": "deb",
        "locations": [
          {
            "path": "/usr/share/doc/linux-tools-common/copyright"
          },
          {
            "path": "/var/lib/dpkg/info/linux-tools-common.md5sums"
          },
          {
            "path": "/var/lib/dpkg/status"
          }
        ],
        "language": "",
        "licenses": [
          "GPL-2"
        ],
        "cpes": [
          "cpe:2.3:a:linux-tools-common:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux-tools-common:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux_tools_common:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux_tools_common:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux-tools:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux-tools:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux_tools:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux_tools:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux:linux-tools-common:6.8.0-49.49:*:*:*:*:*:*:*",
          "cpe:2.3:a:linux:linux_tools_common:6.8.0-49.49:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:deb/ubuntu/linux-tools-common@6.8.0-49.49?arch=all&upstream=linux&distro=ubuntu-24.04",
        "upstreams": [
          {
            "name": "linux"
          }
        ]
      }
    },

this is what I see in the DB:

➜  ~ grype db search CVE-2024-53095
 ✔ Vulnerability DB                [updated]
ID              PACKAGE NAME               NAMESPACE                      VERSION CONSTRAINT
CVE-2024-53095  linux                      debian:distro:debian:11        none (deb)
CVE-2024-53095  linux                      debian:distro:debian:12        none (deb)
CVE-2024-53095  linux                      debian:distro:debian:13        < 6.11.9-1 (deb)
CVE-2024-53095  linux                      debian:distro:debian:unstable  < 6.11.9-1 (deb)

If I need to summarize my main questions:

  1. why do we need to duplicate CVEs if the main package is vulnerable and the transitive ones depends on him (in case all matches are already indirect and points to the same vulnerability)?
  2. what is the “package” field represents?
  3. how the matching is being done? is it by mistake matched due to the empty version in the upstream?

please let me know if you need any additional information or the full grype file.

Thanks for your time!

2

Hi @TimBrown1611, thanks for the question!

We have a prototype feature, grype explain, that is meant to help in situations like this.

Can you run:

grype -o json <your sbom> | grype explain --id CVE-2024-53087

Can you try running that command and seeing whether it helps answer your question?

I’ll try to answer some of your other questions as well:

I assume you mean .matches[N].matchDetails[N].searchedBy.package in Grype’s JSON output? If so, that object contains the package name and package version that were used when Grype queried the database - it searched by them. Does that answer that part of the question?

Are you running against a full grype database? I see the following row in the db:

CVE-2024-53095  linux-aws                  ubuntu:distro:ubuntu:24.04     none (deb)