Skip to content

fix: Remove CPE product candidates for opentelemetry and redis Rust crates#3962

Merged
spiffcs merged 1 commit intoanchore:mainfrom
jayvdb:rust-cpe-false-positives
Jun 5, 2025
Merged

fix: Remove CPE product candidates for opentelemetry and redis Rust crates#3962
spiffcs merged 1 commit intoanchore:mainfrom
jayvdb:rust-cpe-false-positives

Conversation

@jayvdb
Copy link
Copy Markdown
Contributor

@jayvdb jayvdb commented Jun 4, 2025
edited
Loading

Description

Rust crates opentelemetry and redis are being given CPEs that match CVEs such as CVE-2023-45142 and CVE-2022-24735 respectively. The vendor overrides added here prevent that.

Relates to #3956 & #3957 , both of which are broader, while this fixes the immediate false positives.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@jayvdb jayvdb force-pushed the rust-cpe-false-positives branch from 1e79cb3 to 8a8ac5f Compare June 4, 2025 19:54
@kzantow
Copy link
Copy Markdown
Contributor

kzantow commented Jun 4, 2025

Hey @jayvdb -- this file is generated automatically from a small program here: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/main.go so any changes will get overridden when that runs again. That said: this is supposed to be all CPEs that are known from NVD so adding other CPEs are just guesses (probably correct guesses), but we can't be guaranteed NVD will use the same thing. I think it might be more useful to look in this package, where we have a lot of handling specific to ecosystems including overrides for CPEs we know are wrong and need to be corrected, such as: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go#L110

@jayvdb
fix: Remove two Rust crate false positive CPE matches
c18f04f 
Rust crates opentelemetry and redis are being given CPEs that
match CVEs such as CVE-2023-45142 and CVE-2022-24735 respectively.
The vendor overrides added here prevent that.

Signed-off-by: John Vandenberg <jayvdb@gmail.com>
@jayvdb jayvdb force-pushed the rust-cpe-false-positives branch from 8a8ac5f to c18f04f Compare June 5, 2025 00:18
@jayvdb
Copy link
Copy Markdown
Contributor Author

jayvdb commented Jun 5, 2025

@kzantow thanks for the guidance.

I have removed the manual edits to cpe-index.json , and now using fixes in candidate_by_package_type.go.

This removes the CPEs from these entries in my SBOM, which is acceptable to me, as I already know they have no entries in NVD, but it feels like it isnt a great solution, as the generated SBOM is permanent, but the NVD data grows and could include CVEs for these crates in the future.

If I understood correctly, you do not want me to be using candidateAddition(..) because I could only be adding guesses at the NVD vendor or product name, and it sounds like you dont want syft to be guessing those in advance of NVD adding them to their data.

@spiffcs spiffcs merged commit bd894b9 into anchore:main Jun 5, 2025
12 checks passed
@jayvdb jayvdb deleted the rust-cpe-false-positives branch June 5, 2025 19:28
@jayvdb jayvdb mentioned this pull request Jun 5, 2025
Merged
4 tasks
@wagoodman wagoodman changed the title fix: Remove two Rust crate false positive CPE matches fix: Remove CPE product candidates for opentelemetry and redis Rust crates Jun 9, 2025
@wagoodman wagoodman added the bug Something isn't working label Jun 9, 2025
@BrewTestBot BrewTestBot mentioned this pull request Jun 9, 2025
Merged
spiffcs added a commit that referenced this pull request Jun 9, 2025
@spiffcs
Merge branch 'main' into go-source
c57e191 
* main: (31 commits)
  remove benchmark utils (#3982)
  fix: exclude packages with SPDX GENERATED_FROM source package indication (#3981)
  chore(deps): bump modernc.org/sqlite from 1.37.1 to 1.38.0 (#3979)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to 5.16.2 (#3978)
  chore(deps): update tools to latest versions (#3977)
  chore(deps): update CPE dictionary index (#3976)
  chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0 (#3970)
  chore(deps): bump github.com/sergi/go-diff (#3971)
  Fix Python package dependency detection (#3965)
  fix: Remove three Rust crate false positive CPE matches (#3967)
  Harden Container Runtime with Non-Root User (#3941)
  fix: Remove two Rust crate false positive CPE matches (#3962)
  chore(deps): bump golang.org/x/mod from 0.24.0 to 0.25.0 (#3963)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.12 to 0.5.13 (#3964)
  fix: bump stereoscope to fix symlink performance issue (#3953)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to 5.16.1 (#3960)
  chore(deps): bump github/codeql-action from 3.28.18 to 3.28.19 (#3952)
  feat: add syft schema version to version command (#3949)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.11 to 0.5.12 (#3943)
  chore(deps): update tools to latest versions (#3945)
  ...

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jayvdb @kzantow @spiffcs @wagoodman