Maybe it is just me not really understanding how grype works but I need some explanation here.
I have the following images locally:
❯ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine 3.20.2 324bc02ae123 3 weeks ago 7.8MB
busybox 1.36.1 65ad0d468eb1 15 months ago 4.26MB
When I run grype on the alpine image, I get this:
❯ grype alpine:3.20.2
✔ Vulnerability DB [no update available]
✔ Loaded image alpine:3.20.2
✔ Parsed image sha256:324bc02ae1231fd9255658c128086395d3fa0aedd5a41ab6b034fd649d1a9260
✔ Cataloged packages [15 packages]
✔ Scanned for vulnerabilities [0 vulnerabilities]
├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── 0 fixed
No vulnerabilities found
0.79.6
When I run it on the busybox image, I get this:
❯ grype busybox:1.36.1
✔ Vulnerability DB [no update available]
✔ Loaded image busybox:1.36.1
✔ Parsed image sha256:65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [4 vulnerabilities]
├── 0 critical, 0 high, 4 medium, 0 low, 0 negligible
└── 0 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
busybox 1.36.1 binary CVE-2023-42366 Medium
busybox 1.36.1 binary CVE-2023-42365 Medium
busybox 1.36.1 binary CVE-2023-42364 Medium
busybox 1.36.1 binary CVE-2023-42363 Medium
0.79.6
What is confusing to me is that busybox 1.36.1 is what is installed in the alpine:3.20.2
image:
❯ docker run --rm -ti alpine:3.20.2 /bin/sh
/ # busybox --help
BusyBox v1.36.1 (2024-06-10 07:11:47 UTC) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
What causes the CVE’s from busybox to be ignored (or not reported) when scanning the alpine:3.20.2
image? Again, this is probably just me not understanding how grype actually works.
Thanks in advance for any pointers…