What happened: I'm running grype and export the result in CycloneDX format. But for the security alerts from Github (GHSA), Grype doesn't fill the array "ratings". This is an example:

[...]
    {
      "bom-ref": "urn:uuid:440c3846-d7c9-4298-b957-10dc3c2e4267",
      "id": "GHSA-w5p7-h5w8-2hfq",
      "source": {
        "name": "github-language-javascript",
        "url": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq"
      },
      "references": [
        {
          "id": "GHSA-w5p7-h5w8-2hfq",
          "source": {
            "name": "github-language-javascript",
            "url": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq"
          }
        }
      ],
      "ratings": [],
      "description": "Regular Expression Denial of Service in trim",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq"
        }
      ],
      "affects": [
        {
          "ref": "pkg:npm/[email protected]?package-id=550215cca8f83f2b"
        }
      ]
    }
[...]

But in SYFT format, there is the severity:

[...]
  {
   "vulnerability": {
    "id": "GHSA-w5p7-h5w8-2hfq",
    "dataSource": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq",
    "namespace": "github:language:javascript",
    "severity": "High",
    "urls": [
     "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq"
    ],
    "description": "Regular Expression Denial of Service in trim",
    "cvss": [],
    "fix": {
     "versions": [
      "0.0.3"
     ],
     "state": "fixed"
    },
    "advisories": []
   }
[...]

What you expected to happen: I expected to see the attribute "rating" in the CycloneDX file.

How to reproduce it (as minimally and precisely as possible): Create the file grype_issue.cdx.json with this content:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:3268c670-b3ef-42a3-aaa0-e5719bcd13fb",
  "version": 1,
  "metadata": {
    "timestamp": "2023-01-25T17:28:36+01:00",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "0.68.0"
      }
    ],
    "component": {
      "bom-ref": "f585a7175aa94120",
      "type": "file",
      "name": "./package-lock.json"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:npm/[email protected]?package-id=381befe0f9bdddc",
      "type": "library",
      "name": "grype_issue",
      "version": "1.0.0",
      "licenses": [
        {
          "license": {
            "id": "ISC"
          }
        }
      ],
      "cpe": "cpe:2.3:a:grype-issue:grype-issue:1.0.0:*:*:*:*:*:*:*",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "javascript-lock-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "javascript"
        },
        {
          "name": "syft:package:metadataType",
          "value": "NpmPackageLockJsonMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "npm"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype-issue:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype_issue:grype-issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype_issue:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype:grype-issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:*:grype-issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:*:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/tmp/grype_issue/package-lock.json"
        }
      ]
    },
    {
      "bom-ref": "pkg:npm/[email protected]?package-id=1018dc924f788544",
      "type": "library",
      "name": "trim",
      "version": "0.0.2",
      "cpe": "cpe:2.3:a:trim:trim:0.0.2:*:*:*:*:*:*:*",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "javascript-lock-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "javascript"
        },
        {
          "name": "syft:package:metadataType",
          "value": "NpmPackageLockJsonMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "npm"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:*:trim:0.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/tmp/grype_issue/package-lock.json"
        }
      ]
    }
  ]
}

Type this:

$ grype sbom:./grype_issue.cdx.json --output cyclonedx-json
 ✔ Vulnerability DB        [no update available]
 ✔ Scanned image           [2 vulnerabilities]
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:2b425ea2-6275-432f-a1e7-f97c24bccddb",
  "version": 1,
  "metadata": {
    "timestamp": "2023-01-25T17:30:31+01:00",
    "tools": [
      {
        "vendor": "anchore",
        "name": "grype",
        "version": "0.55.0"
      }
    ],
    "component": {
      "bom-ref": "f585a7175aa94120",
      "type": "file",
      "name": "./package-lock.json"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:npm/[email protected]?package-id=477fbb6eb362b102",
      "type": "library",
      "name": "grype_issue",
      "version": "1.0.0",
      "licenses": [
        {
          "license": {
            "id": "ISC"
          }
        }
      ],
      "cpe": "cpe:2.3:a:grype-issue:grype-issue:1.0.0:*:*:*:*:*:*:*",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "javascript-lock-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "javascript"
        },
        {
          "name": "syft:package:metadataType",
          "value": "NpmPackageLockJsonMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "npm"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype-issue:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype_issue:grype-issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype_issue:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype:grype-issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:grype:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:*:grype-issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:*:grype_issue:1.0.0:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/tmp/grype_issue/package-lock.json"
        }
      ]
    },
    {
      "bom-ref": "pkg:npm/[email protected]?package-id=88e35f5dee221d99",
      "type": "library",
      "name": "trim",
      "version": "0.0.2",
      "cpe": "cpe:2.3:a:trim:trim:0.0.2:*:*:*:*:*:*:*",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "javascript-lock-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "javascript"
        },
        {
          "name": "syft:package:metadataType",
          "value": "NpmPackageLockJsonMetadata"
        },
        {
          "name": "syft:package:type",
          "value": "npm"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:*:trim:0.0.2:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/tmp/grype_issue/package-lock.json"
        }
      ]
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:8f2af176-ba71-4bf3-aa75-4bcbe690854c",
      "id": "CVE-2020-7753",
      "source": {
        "name": "nvd-cpe",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7753"
      },
      "references": [
        {
          "id": "CVE-2020-7753",
          "source": {
            "name": "nvd-cpe",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7753"
          }
        }
      ],
      "ratings": [
        {
          "score": 5,
          "severity": "high",
          "method": "CVSSv2",
          "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
        },
        {
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],
      "description": "All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().",
      "advisories": [
        {
          "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132"
        },
        {
          "url": "https://github.com/component/trim/blob/master/index.js%23L6"
        },
        {
          "url": "https://snyk.io/vuln/SNYK-JS-TRIM-1017038"
        },
        {
          "url": "https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E"
        },
        {
          "url": "https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E"
        },
        {
          "url": "https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E"
        },
        {
          "url": "https://lists.apache.org/thread.html/r51ff3c2a4c7b8402f321eae7e6246[email protected]%3Ccommits.airflow.apache.org%3E"
        },
        {
          "url": "https://lists.apache.org/thread.html/[email protected]%3Ccommits.airflow.apache.org%3E"
        }
      ],
      "affects": [
        {
          "ref": "pkg:npm/[email protected]?package-id=88e35f5dee221d99"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c29659dd-72fe-4375-9f59-0f4b92cc54fd",
      "id": "GHSA-w5p7-h5w8-2hfq",
      "source": {
        "name": "github-language-javascript",
        "url": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq"
      },
      "references": [
        {
          "id": "GHSA-w5p7-h5w8-2hfq",
          "source": {
            "name": "github-language-javascript",
            "url": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq"
          }
        }
      ],
      "ratings": [],
      "description": "Regular Expression Denial of Service in trim",
      "advisories": [
        {
          "url": "https://github.com/advisories/GHSA-w5p7-h5w8-2hfq"
        }
      ],
      "affects": [
        {
          "ref": "pkg:npm/[email protected]?package-id=88e35f5dee221d99"
        }
      ]
    }
  ]
}

And you will see that the attribute ratings is not filled for the GHSA issue.

Environment:

  • Output of grype version: 0.55.0
  • OS: MacOs / Linux
0

Hi could you try with Grype v0.56.0? I believe this is fixed

0
© 2022 pullanswer.com - All rights reserved.