-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CPE of linux-kernel not precise enough #3437
Comments
Thanks for the issue @rafutek. I've added a needs investigation so we can take a look at the CPE being generated here and how they could be more precise. The question I have currently is you said: "Multiple components were found for a unique linux image. Indeed, linux-kernel-cataloger and dpkg-db-cataloger both found a linux image/kernel component." Do you have the details for these packages from the SBOM? |
Hi @spiffcs, I work with @rafutek, here are the answers.
Yes, the CPE are coming from the SBOM. Do you want we copy/paste the SBOM concerning this packages.
Yes, they are the same packages. But they are named differently by the different catalogers. For example on a Debian 12 server, we have :
Then, when we launch syft :
When we check the name of each package :
As you can see, we have packages named "linux-image-VERSION" and "linux-kernel". When we check the details of each package :
You can see that :
Hope it's clear (and not too verbose) Bests. |
What happened:
I generated a filesystem SBOM with
syft scan dir:/ -o cyclonedx-json=/tmp/syft-scan.json
and checked generated JSON.Multiple components were found for a unique linux image. Indeed, linux-kernel-cataloger and dpkg-db-cataloger both found a linux image/kernel component. I expected syft to generate only one, as my machine has only one linux image/kernel installed.
Secondly, the CPE of linux-kernel component is
cpe:2.3:o:linux:linux_kernel:6.1.0-26-amd64:*:*:*:*:*:*:*
, wich is not precise enough, patch version should be included. Otherwise, the component will be declared as affected by a lot of CVEs fixed by previous patches.Also, the CPE of linux-image component is
cpe:2.3:a:linux-image-6.1.0-26-amd64:linux-image-6.1.0-26-amd64:6.1.112-1:*:*:*:*:*:*:*
, which was generated by syft and is not known by any CVE database.I expected the CPE of those components to be more like
cpe:2.3:o:linux:linux_kernel:6.1.112:*:*:*:*:*:*:*
(as found in NVD).As linux kernel/image is a basic component to check CVEs for, I imagine not beeing the first one with those issues. Maybe am I doing something wrong ?
Environment:
syft version
: syft 1.16.0cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: