-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mariner Linux "util-linux" package FP #2181
Comments
Hey @Atharex I generated the syft SBOM for the image you mentioned above: Here is what I found:
So while these binaries may not have been installed via rpm, they contain a .note.package section signifying their association with Do you think it may be the case that the metadata in the binaries is incorrect and they should be associated with The hard part about this is that CVE for this package have been filed against the meta package rather than the individual utilities which is a scoping problem when trying to pinpoint vulnerabilities. Given the details of CVE-2022-0563 and CVE-2024-28085 our recommendation would be to use grype's ignore functionality here. Let me know if you have any questions or if you think anything I wrote above is in error regarding our identification and usage of elf binary metadata to include packages in the SBOM we generate for vulnerability analysis. |
We (Azure Linux dev team) looked at it, and the package version in the note is only as granular as the base package (source). This seems like this behaviour is by-design, I don't think we can change it. The things we don't understand: why is the CVE no longer reported after |
@spiffcs do you have similar situation with other Linux distributions using |
@eric-desrochers this is the first time I've run into a case where the As to your question:
I can think of a reason, but let me try and do some investigation to find out. If we install My guess here is that when If |
What happened:
Looking at the container composition:
Util-linux
package is not present in the image, onlyutil-linux-libs
. We still get flagged as vulnerable from this findingWhat you expected to happen:
The package is not present and should not be a finding. The lib package associated with it is the proper version, so should also not trigger a finding
How to reproduce it (as minimally and precisely as possible):
See above
Anything else we need to know?:
Environment:
grype version
:Application: grype
Version: 0.81.0
BuildDate: 2024-09-25T16:57:40Z
GitCommit: 641982f
GitDescription: v0.81.0
Platform: darwin/arm64
GoVersion: go1.23.1
Compiler: gc
Syft Version: v1.13.0
Supported DB Schema: 5
The text was updated successfully, but these errors were encountered: