Missing vulnerabilites in container image scans?

Grype
1

Maybe it is just me not really understanding how grype works but I need some explanation here.

I have the following images locally:

❯ docker images
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
alpine       3.20.2    324bc02ae123   3 weeks ago     7.8MB
busybox      1.36.1    65ad0d468eb1   15 months ago   4.26MB

When I run grype on the alpine image, I get this:

❯ grype alpine:3.20.2
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                           alpine:3.20.2
 ✔ Parsed image                                                                                 sha256:324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260
 ✔ Cataloged packages              [15 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found
0.79.6

When I run it on the busybox image, I get this:

❯ grype busybox:1.36.1
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                          busybox:1.36.1
 ✔ Parsed image                                                                                 sha256:65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac
 ✔ Cataloged packages              [1 packages]
 ✔ Scanned for vulnerabilities     [4 vulnerabilities]
   ├── 0 critical, 0 high, 4 medium, 0 low, 0 negligible
   └── 0 fixed
NAME     INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY
busybox  1.36.1               binary  CVE-2023-42366  Medium
busybox  1.36.1               binary  CVE-2023-42365  Medium
busybox  1.36.1               binary  CVE-2023-42364  Medium
busybox  1.36.1               binary  CVE-2023-42363  Medium
0.79.6

What is confusing to me is that busybox 1.36.1 is what is installed in the alpine:3.20.2 image:

❯ docker run --rm -ti alpine:3.20.2 /bin/sh
/ # busybox --help
BusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.

What causes the CVE’s from busybox to be ignored (or not reported) when scanning the alpine:3.20.2 image? Again, this is probably just me not understanding how grype actually works.

Thanks in advance for any pointers… :blush:

1 Like
2

Hi @dwaynebradley, that’s a great question! The short answer is: Alpine has published a fixed version of busybox.

syft -q alpine:3.20.2 | grep -e NAME -e busybox
NAME                    VERSION      TYPE
busybox                 1.36.1-r29   apk
busybox-binsh           1.36.1-r29   apk

Note that we find an apk (Alpine’s package type) with version 1.36.1-r29, that is, the 29th release that Alpine has made of busybox 1.36.1. In other words, Alpine has been releasing patches on top of the upstream version.

For the busybox image, Syft finds the regular busybox binary:

syft -q busybox:1.36.1 | grep -e NAME -e busybox
NAME     VERSION  TYPE
busybox  1.36.1   binary

Grype is able to use the apk release version to perform a more specific match than it can with the binary package.

I think the particular patch in question is at main/busybox/CVE-2023-42364-CVE-2023-42365.patch · master · alpine / aports · GitLab

You can see a list of Alpine-specific sec fixes in busybox at main/busybox/APKBUILD · master · alpine / aports · GitLab if you are interested.

In general, grype will use the most specific vuln feed it can. Since we have Alpine-specific vulnerability information, Grype can see that the busybox apk package is of a version that contains a fix for the specific CVE.

1 Like
3

That makes way more sense now! :joy: It had me really confused looking at that the other day. Thanks for the great explanation! :sunglasses:

2 Likes