Grype is catching a false positive on spring-boot-starter-web because it cannot detect inherited version from parent #1012
Description
What happened:
After using the Spring Initializer tool to create a new Spring Boot App (version 2.7.5) with the Spring Web dependency, building, and running Grype to scan for vulnerabilities, we get a vulnerability detected on the following package:
spring-boot-starter-web: GHSA-36p3-wjmg-h94x
What you expected to happen:
When installing the dependencies, the spring-boot-starter-web package installs a version that is consistent with its parent artifact (spring-boot-starter-parent) which maps to version 2.7.5
I was expecting grype to detect the version, and note that the vulnerability it indicates does not apply since it was fixed as a prior version (2.5.12). However, the engine does not pick it up, and displays an empty version in use for the package:
How to reproduce it (as minimally and precisely as possible):
I have set up a repo with a dev container configured to run the repro with instructions here:
https://github.com/cezapata/appconfiguration-sample
You can run the codespace, install the maven dependencies on the app, and then run grype. Among the vulnerabilities detected, we will display GHSA-36p3-wjmg-h94x.
Anything else we need to know?:
Hard-coding the version on the dependencies fixes the problem, but we would like all the dependencies to be controlled by the parent.
Environment:
-
Output of
grype version:
Application: grype
Version: 0.53.0
Syft Version: v0.62.0
BuildDate: 2022-11-18T20:36:40Z
GitCommit: a4a62aa
GitDescription: v0.53.0
Platform: linux/amd64
GoVersion: go1.18.7
Compiler: gc
Supported DB Schema: 5 -
OS (e.g:
cat /etc/os-releaseor similar):
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"