grype: Java false positives - netty-reactive-streams, maven-resolver-api, etc

What happened: Various java third-party libraries are incorrectly mapped and compared to the underlying framework/ecosystem. netty-reactive-streams is mapped to netty and maven-resolver-api is mapped to maven CPEs even though they are not directly part of those ecosystems and are versioned independently. There are others, but this is a sampling.

Examples:

  • Latest netty-reactive-streams=2.0.5 (pom), yet it is being treated as netty=2.0.5
  • maven-resolver-api=1.6.3(pom), yet it is being treated as maven=1.6.3

What you expected to happen: No false positives

How to reproduce it (as minimally and precisely as possible):

$ echo "FROM maven:3.8.2-ibmjava-alpine
> RUN mvn dependency:get -Dartifact=com.typesafe.netty:netty-reactive-streams:2.0.5" | docker build -t java-false-positives:netty-reactive-streams - && grype java-false-positives:netty-reactive-streams | egrep "netty-reactive-streams|maven-resolver"
Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM maven:3.8.2-ibmjava-alpine
3.8.2-ibmjava-alpine: Pulling from library/maven
Digest: sha256:dbac210dcbf16f1af8a9b76b1b21a13906c95082bb7729f1ba3e4a4fa0538cd9
Status: Downloaded newer image for maven:3.8.2-ibmjava-alpine
 ---> bc245e67d0e6
Step 2/2 : RUN mvn dependency:get -Dartifact=com.typesafe.netty:netty-reactive-streams:2.0.5
 ---> Using cache
 ---> 993f84c6921c
Successfully built 993f84c6921c
Successfully tagged java-false-positives:netty-reactive-streams
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages              [266 packages]
 ✔ Scanned image                   [54 vulnerabilities]
maven-resolver-api              1.6.3                       CVE-2021-26291       Critical
maven-resolver-connector-basic  1.6.3                       CVE-2021-26291       Critical
maven-resolver-impl             1.6.3                       CVE-2021-26291       Critical
maven-resolver-spi              1.6.3                       CVE-2021-26291       Critical
maven-resolver-transport-wagon  1.6.3                       CVE-2021-26291       Critical
maven-resolver-util             1.6.3                       CVE-2021-26291       Critical
netty-reactive-streams          2.0.5                       CVE-2014-3488        Medium
netty-reactive-streams          2.0.5                       CVE-2015-2156        High
netty-reactive-streams          2.0.5                       CVE-2019-16869       High
netty-reactive-streams          2.0.5                       CVE-2019-20444       Critical
netty-reactive-streams          2.0.5                       CVE-2019-20445       Critical
netty-reactive-streams          2.0.5                       CVE-2021-21290       Medium
netty-reactive-streams          2.0.5                       CVE-2021-21295       Medium
netty-reactive-streams          2.0.5                       CVE-2021-21409       Medium

Anything else we need to know?: Debug logs from grype showing the matching logic:

[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=netty-reactive-streams, version=2.0.5)
[0009] DEBUG found 8 vulnerabilities for pkg=Pkg(type=java-archive, name=netty-reactive-streams, version=2.0.5)
[0009] DEBUG   ├── vuln="CVE-2014-3488" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG   ├── vuln="CVE-2015-2156" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG   ├── vuln="CVE-2019-16869" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG   ├── vuln="CVE-2019-20444" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG   ├── vuln="CVE-2019-20445" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG   ├── vuln="CVE-2021-21290" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG   ├── vuln="CVE-2021-21295" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG   └── vuln="CVE-2021-21409" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:netty:netty:2.0.5:*:*:*:*:*:*:*"]} foundBy="java-matcher"


[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=maven-resolver-api, version=1.6.3)
[0009] DEBUG found 1 vulnerabilities for pkg=Pkg(type=java-archive, name=maven-resolver-api, version=1.6.3)
[0009] DEBUG   └── vuln="CVE-2021-26291" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:maven:1.6.3:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=maven-resolver-connector-basic, version=1.6.3)
[0009] DEBUG found 1 vulnerabilities for pkg=Pkg(type=java-archive, name=maven-resolver-connector-basic, version=1.6.3)
[0009] DEBUG   └── vuln="CVE-2021-26291" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:maven:1.6.3:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=maven-resolver-impl, version=1.6.3)
[0009] DEBUG found 1 vulnerabilities for pkg=Pkg(type=java-archive, name=maven-resolver-impl, version=1.6.3)
[0009] DEBUG   └── vuln="CVE-2021-26291" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:maven:1.6.3:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=maven-resolver-provider, version=3.8.2)
[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=maven-resolver-spi, version=1.6.3)
[0009] DEBUG found 1 vulnerabilities for pkg=Pkg(type=java-archive, name=maven-resolver-spi, version=1.6.3)
[0009] DEBUG   └── vuln="CVE-2021-26291" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:maven:1.6.3:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=maven-resolver-transport-wagon, version=1.6.3)
[0009] DEBUG found 1 vulnerabilities for pkg=Pkg(type=java-archive, name=maven-resolver-transport-wagon, version=1.6.3)
[0009] DEBUG   └── vuln="CVE-2021-26291" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:maven:1.6.3:*:*:*:*:*:*:*"]} foundBy="java-matcher"
[0009] DEBUG searching for vulnerability matches for pkg=Pkg(type=java-archive, name=maven-resolver-util, version=1.6.3)
[0009] DEBUG found 1 vulnerabilities for pkg=Pkg(type=java-archive, name=maven-resolver-util, version=1.6.3)
[0009] DEBUG   └── vuln="CVE-2021-26291" type="Fuzzy Match" searchedBy={"nvd" ["cpe:2.3:a:apache:maven:1.6.3:*:*:*:*:*:*:*"]} foundBy="java-matcher"

Environment:

  • Output of grype version:
$ grype version
Application:          grype
Version:              0.20.0
Syft Version:         v0.24.0
BuildDate:            2021-09-23T02:11:21Z
GitCommit:            1a7c9d177904756b820cea1044c8a5c452d8a4c3
GitTreeState:         clean
Platform:             linux/amd64
GoVersion:            go1.16.8
Compiler:             gc
Supported DB Schema:  3
  • OS (e.g: cat /etc/os-release or similar):
$ cat /etc/os-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.9 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.9:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.9"

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 8
  • Comments: 15 (6 by maintainers)

Most upvoted comments

Still related to netty, I get the following false positives on a docker image containing spring-boot-starter-webflux which includes reactor-netty-http.

reactor-netty-http  1.0.13               CVE-2014-3488   Medium    
reactor-netty-http  1.0.13               CVE-2015-2156   High      
reactor-netty-http  1.0.13               CVE-2019-16869  High      
reactor-netty-http  1.0.13               CVE-2019-20444  Critical  
reactor-netty-http  1.0.13               CVE-2019-20445  Critical  
reactor-netty-http  1.0.13               CVE-2021-21290  Medium    
reactor-netty-http  1.0.13               CVE-2021-21295  Medium    
reactor-netty-http  1.0.13               CVE-2021-21409  Medium    
reactor-netty-http  1.0.13               CVE-2021-37136  High      
reactor-netty-http  1.0.13               CVE-2021-37137  High

All of these are fixed along with netty 4.1.70 (dependency of 1.0.13 above)

Debug info:

Application:          grype
Version:              0.24.1
Syft Version:         v0.29.0
BuildDate:            2021-11-05T16:53:26Z
GitCommit:            00aa7d452348cdd1a94b25a78d0d04c6ff3fff6d
GitTreeState:         clean
Platform:             darwin/amd64
GoVersion:            go1.16.9
Compiler:             gc
Supported DB Schema:  3
+4
Georgian on Nov 11, 2021

Is there something we can do to help testing? These false-positives around reactor-netty-* are hitting us in quite some Java and Scala projects - we applied updates, yet still get back a ton of vulnerabilities 😅

+2
harmw on Feb 21, 2023

Hi @guizmaii, thanks for letting us know. We understand the root cause of this problem and it’s something we are working on fixing–I’ll leave this open for tracking until we have a solution. Thanks!

+2
tgerla on Feb 2, 2023

Hello all, we have made some recent changes to the way that Grype matches vulnerabilities. These Java-related false positives should all be fixed now. Please see this blog post for more detail and rationale for the changes: https://anchore.com/blog/say-goodbye-to-false-positives/

I’ll go ahead and close this issue but if you run into any more false positives, please open a new issue and we would be happy to look. Thanks for your patience!

+1
tgerla on Nov 30, 2023

Today you can’t ignore matches by package CPE, but that’s an interesting idea. For now, you’d need to specify ignore rules for each vulnerability, which I realize could be cumbersome.

Actually, excluding a vulnerability by package CPE would be nice, too. But I was talking about excluding an artifact match from a CPE. In this case, I would like to say that "name": "reactor-netty-http", "type": "java-archive" is never, ever a match for "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*"

I found this a highly useful feature that e.g. the OWASP Dependency Scanner has in their rather extensive suppression specification. I frequently use it to disentangle client libs from server vulnerabilities.

+1
creckord on Apr 4, 2022

@dakaneye Yeah that’s a good question. To me, this is the same category of false positive as #450, where our string manipulation during CPE generation ends up producing matches against larger projects. We’ll need to think on the best way to handle this. 🤔

+1
luhring on Nov 10, 2021
Read more comments on GitHub
← grype: grype cannot scan a local image that was not archived by tar or pushed to a registry
scan-action: Seeing runtime errors intermittently  →