What happened:
Grype does not report any vulnerabilities for CPEs with target_sw field
What you expected to happen:
Grype finds vulnerabilities that match a given CPE.
How to reproduce it (as minimally and precisely as possible):
grype db search CVE-2011-2337
# VULNERABILITY PACKAGE ECOSYSTEM NAMESPACE VERSION CONSTRAINT
# CVE-2011-2337 chromium-browser deb ubuntu:distro:ubuntu:14.04
# CVE-2011-2337 chromium-browser deb ubuntu:distro:ubuntu:19.04
# CVE-2011-2337 cpe:2.3:a:google:blink:*:*:*:*:*:x64:chromium:* chromium nvd:cpe < m12
The CPE in the grype db search output is malformed, see #2767. When I search with the correct CPE, Grype does not find anything anyway. Both of the following should match.
grype 'cpe:2.3:a:google:blink:*:*:*:*:*:chromium:x64:*'
# ✔ Scanned for vulnerabilities [0 vulnerability matches]
# ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
# └── by status: 0 fixed, 0 not-fixed, 0 ignored
# No vulnerabilities found
grype 'cpe:2.3:a:google:blink:*:*:*:*:*:chromium:*:*'
# ✔ Scanned for vulnerabilities [0 vulnerability matches]
# ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
# └── by status: 0 fixed, 0 not-fixed, 0 ignored
# No vulnerabilities found
Only when the target_sw field is ommited Grype finds the correct vulnerability.
grype 'cpe:2.3:a:google:blink:*:*:*:*:*:*:x64:*'
# ✔ Scanned for vulnerabilities [0 vulnerability matches]
# ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
# └── by status: 1 fixed, 0 not-fixed, 0 ignored
# NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS% RISK
# blink m12 CVE-2011-2337 Critical 52.22 0.3
grype 'cpe:2.3:a:google:blink:*:*:*:*:*:*:*:*'
# ✔ Scanned for vulnerabilities [0 vulnerability matches]
# ├── by severity: 2 critical, 2 high, 8 medium, 0 low, 0 negligible
# └── by status: 12 fixed, 0 not-fixed, 0 ignored
# NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS% RISK
# blink m12 CVE-2011-2337 Critical 52.22 0.3
# blink m11 CVE-2011-1802 Medium 64.55 0.3
# blink m11 CVE-2011-1460 Critical 50.78 0.2
# blink m13 CVE-2011-2808 Medium 61.02 0.2
# blink m11 CVE-2011-1298 High 51.80 0.2
# blink m12 CVE-2011-2336 Medium 53.10 0.2
# blink m13 CVE-2011-2353 Medium 53.10 0.2
# blink m11 CVE-2011-1459 Medium 51.80 0.1
# blink m12 CVE-2011-2335 High 38.40 0.1
# blink m11 CVE-2011-1803 Medium 38.40 < 0.1
# blink m12 CVE-2011-2334 Medium 38.40 < 0.1
# blink m13 CVE-2011-2807 Medium 38.40 < 0.1
Anything else we need to know?:
Environment:
Application: grype
Version: 0.94.0
BuildDate: 2025-06-12T14:46:28Z
GitCommit: 7c5fa46cc184e383505ea889e9effab11023e5b0
GitDescription: v0.94.0
Platform: linux/amd64
GoVersion: go1.24.4
Compiler: gc
Syft Version: v1.27.1
Supported DB Schema: 6
Arch Linux
What happened:
Grype does not report any vulnerabilities for CPEs with
target_swfieldWhat you expected to happen:
Grype finds vulnerabilities that match a given CPE.
How to reproduce it (as minimally and precisely as possible):
The CPE in the
grype db searchoutput is malformed, see #2767. When I search with the correct CPE, Grype does not find anything anyway. Both of the following should match.Only when the
target_swfield is ommited Grype finds the correct vulnerability.Anything else we need to know?:
Environment:
Arch Linux