Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CPE of linux-kernel not precise enough #3437

Open
rafutek opened this issue Nov 13, 2024 · 2 comments
Open

CPE of linux-kernel not precise enough #3437

rafutek opened this issue Nov 13, 2024 · 2 comments
Labels
bug Something isn't working needs-investigation

Comments

@rafutek
Copy link

rafutek commented Nov 13, 2024

What happened:

I generated a filesystem SBOM with syft scan dir:/ -o cyclonedx-json=/tmp/syft-scan.json and checked generated JSON.

Multiple components were found for a unique linux image. Indeed, linux-kernel-cataloger and dpkg-db-cataloger both found a linux image/kernel component. I expected syft to generate only one, as my machine has only one linux image/kernel installed.

Secondly, the CPE of linux-kernel component is cpe:2.3:o:linux:linux_kernel:6.1.0-26-amd64:*:*:*:*:*:*:*, wich is not precise enough, patch version should be included. Otherwise, the component will be declared as affected by a lot of CVEs fixed by previous patches.
Also, the CPE of linux-image component is cpe:2.3:a:linux-image-6.1.0-26-amd64:linux-image-6.1.0-26-amd64:6.1.112-1:*:*:*:*:*:*:*, which was generated by syft and is not known by any CVE database.

I expected the CPE of those components to be more like cpe:2.3:o:linux:linux_kernel:6.1.112:*:*:*:*:*:*:* (as found in NVD).

As linux kernel/image is a basic component to check CVEs for, I imagine not beeing the first one with those issues. Maybe am I doing something wrong ?

Environment:

  • Output of syft version: syft 1.16.0
  • OS (e.g: cat /etc/os-release or similar):
root@qa-test-bis:~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
@rafutek rafutek added the bug Something isn't working label Nov 13, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Nov 20, 2024

Thanks for the issue @rafutek. I've added a needs investigation so we can take a look at the CPE being generated here and how they could be more precise.

The question I have currently is you said: "Multiple components were found for a unique linux image. Indeed, linux-kernel-cataloger and dpkg-db-cataloger both found a linux image/kernel component."

Do you have the details for these packages from the SBOM?
Are they semantically the same packages with the exact same locations discovered by two different catalogers?
Were there any noticeable differences in the evidence discovered between the two that would stand out as to why they were not deduplicated?

@cedrictemple
Copy link

cedrictemple commented Nov 21, 2024

Hi @spiffcs,

I work with @rafutek, here are the answers.

Do you have the details for these packages from the SBOM?

Yes, the CPE are coming from the SBOM. Do you want we copy/paste the SBOM concerning this packages.

Are they semantically the same packages with the exact same locations discovered by two different catalogers?

Yes, they are the same packages. But they are named differently by the different catalogers. For example on a Debian 12 server, we have :

root@debian-v12-minimale:~# dpkg -l | grep linux-image
ii  linux-image-6.1.0-18-amd64        6.1.76-1                            amd64        Linux 6.1 for 64-bit PCs (signed)
ii  linux-image-6.1.0-27-amd64        6.1.115-1                           amd64        Linux 6.1 for 64-bit PCs (signed)
ii  linux-image-amd64                 6.1.115-1                           amd64        Linux for 64-bit PCs (meta-package)

Then, when we launch syft :

root@debian-v12-minimale:~# ./bin/syft scan dir:/ -o cyclonedx-json=cyclonedx-json-all-cataloger.json

When we check the name of each package :

root@debian-v12-minimale:~# jq '.' cyclonedx-json-all-cataloger.json | grep name | grep linux
      "name": "binder_linux",
      "name": "binder_linux",
      "name": "console-setup-linux",
      "name": "firmware-linux-free",
      "name": "github.com/opencontainers/selinux",
      "name": "libselinux1",
      "name": "linux-base",
      "name": "linux-image-6.1.0-18-amd64",
      "name": "linux-image-6.1.0-27-amd64",
      "name": "linux-image-amd64",
      "name": "linux-kernel",
      "name": "linux-kernel",
      "name": "util-linux",
      "name": "util-linux-extra",
      "name": "util-linux-locales",

As you can see, we have packages named "linux-image-VERSION" and "linux-kernel".

When we check the details of each package :

root@debian-v12-minimale:~# jq '.components[] | select(.name=="linux-kernel" or .name=="linux-image-6.1.0-18-amd64" or .name=="linux-image-6.1.0-27-amd64")' cyclonedx-json-all-cataloger.json
{
  "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-12&package-id=94a623dde6815c1a&upstream=linux-signed-amd64%406.1.76%2B1",
  "type": "library",
  "publisher": "Debian Kernel Team <[email protected]>",
  "name": "linux-image-6.1.0-18-amd64",
  "version": "6.1.76-1",
  "licenses": [
    {
      "license": {
        "id": "BSD-2-Clause"
      }
    },
    {
      "license": {
        "id": "GPL-2.0-only"
      }
    },
    {
      "license": {
        "id": "LGPL-2.1-only"
      }
    },
    {
      "license": {
        "name": "CRYPTOGAMS"
      }
    },
    {
      "license": {
        "name": "GPL-2+-or-X11"
      }
    },
    {
      "license": {
        "name": "Unicode-data"
      }
    },
    {
      "license": {
        "name": "Xen-interface"
      }
    }
  ],
  "cpe": "cpe:2.3:a:linux-image-6.1.0-18-amd64:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*",
  "purl": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-12&upstream=linux-signed-amd64%406.1.76%2B1",
  "properties": [
    {
      "name": "syft:package:foundBy",
      "value": "dpkg-db-cataloger"
    },
    {
      "name": "syft:package:type",
      "value": "deb"
    },
    {
      "name": "syft:package:metadataType",
      "value": "dpkg-db-entry"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0-18-amd64:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_18_amd64:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_18_amd64:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0-18:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0-18:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_18:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_18:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux:linux-image-6.1.0-18-amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux:linux_image_6.1.0_18_amd64:6.1.76-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:location:0:path",
      "value": "usr/share/doc/linux-image-6.1.0-18-amd64/copyright"
    },
    {
      "name": "syft:location:1:path",
      "value": "var/lib/dpkg/info/linux-image-6.1.0-18-amd64.md5sums"
    },
    {
      "name": "syft:location:2:path",
      "value": "var/lib/dpkg/status"
    },
    {
      "name": "syft:metadata:installedSize",
      "value": "398601"
    },
    {
      "name": "syft:metadata:source",
      "value": "linux-signed-amd64"
    },
    {
      "name": "syft:metadata:sourceVersion",
      "value": "6.1.76+1"
    }
  ]
}
{
  "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-12&package-id=4d244ec512a2765d&upstream=linux-signed-amd64%406.1.115%2B1",
  "type": "library",
  "publisher": "Debian Kernel Team <[email protected]>",
  "name": "linux-image-6.1.0-27-amd64",
  "version": "6.1.115-1",
  "licenses": [
    {
      "license": {
        "id": "BSD-2-Clause"
      }
    },
    {
      "license": {
        "id": "GPL-2.0-only"
      }
    },
    {
      "license": {
        "id": "LGPL-2.1-only"
      }
    },
    {
      "license": {
        "name": "CRYPTOGAMS"
      }
    },
    {
      "license": {
        "name": "GPL-2+-or-X11"
      }
    },
    {
      "license": {
        "name": "Unicode-data"
      }
    },
    {
      "license": {
        "name": "Xen-interface"
      }
    }
  ],
  "cpe": "cpe:2.3:a:linux-image-6.1.0-27-amd64:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*",
  "purl": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-12&upstream=linux-signed-amd64%406.1.115%2B1",
  "properties": [
    {
      "name": "syft:package:foundBy",
      "value": "dpkg-db-cataloger"
    },
    {
      "name": "syft:package:type",
      "value": "deb"
    },
    {
      "name": "syft:package:metadataType",
      "value": "dpkg-db-entry"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0-27-amd64:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_27_amd64:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_27_amd64:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0-27:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0-27:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_27:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0_27:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image-6.1.0:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image_6.1.0:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux-image:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux_image:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux:linux-image-6.1.0-27-amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:cpe23",
      "value": "cpe:2.3:a:linux:linux_image_6.1.0_27_amd64:6.1.115-1:*:*:*:*:*:*:*"
    },
    {
      "name": "syft:location:0:path",
      "value": "usr/share/doc/linux-image-6.1.0-27-amd64/copyright"
    },
    {
      "name": "syft:location:1:path",
      "value": "var/lib/dpkg/info/linux-image-6.1.0-27-amd64.md5sums"
    },
    {
      "name": "syft:location:2:path",
      "value": "var/lib/dpkg/status"
    },
    {
      "name": "syft:metadata:installedSize",
      "value": "398888"
    },
    {
      "name": "syft:metadata:source",
      "value": "linux-signed-amd64"
    },
    {
      "name": "syft:metadata:sourceVersion",
      "value": "6.1.115+1"
    }
  ]
}
{
  "bom-ref": "pkg:generic/[email protected]?package-id=5c4888f5da6b1d85",
  "type": "library",
  "name": "linux-kernel",
  "version": "6.1.0-18-amd64",
  "cpe": "cpe:2.3:o:linux:linux_kernel:6.1.0-18-amd64:*:*:*:*:*:*:*",
  "purl": "pkg:generic/[email protected]",
  "properties": [
    {
      "name": "syft:package:foundBy",
      "value": "linux-kernel-cataloger"
    },
    {
      "name": "syft:package:type",
      "value": "linux-kernel"
    },
    {
      "name": "syft:package:metadataType",
      "value": "linux-kernel-archive"
    },
    {
      "name": "syft:location:0:path",
      "value": "boot/vmlinuz-6.1.0-18-amd64"
    },
    {
      "name": "syft:metadata:architecture",
      "value": "x86"
    },
    {
      "name": "syft:metadata:extendedVersion",
      "value": "6.1.0-18-amd64 ([email protected]) #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)"
    },
    {
      "name": "syft:metadata:format",
      "value": "bzImage"
    },
    {
      "name": "syft:metadata:rootDevice",
      "value": "0"
    },
    {
      "name": "syft:metadata:rwRootFS",
      "value": "false"
    },
    {
      "name": "syft:metadata:swapDevice",
      "value": "0"
    },
    {
      "name": "syft:metadata:version",
      "value": "6.1.0-18-amd64"
    },
    {
      "name": "syft:metadata:videoMode",
      "value": "Video mode 65535"
    }
  ]
}
{
  "bom-ref": "pkg:generic/[email protected]?package-id=d11978474b8cd10a",
  "type": "library",
  "name": "linux-kernel",
  "version": "6.1.0-27-amd64",
  "cpe": "cpe:2.3:o:linux:linux_kernel:6.1.0-27-amd64:*:*:*:*:*:*:*",
  "purl": "pkg:generic/[email protected]",
  "properties": [
    {
      "name": "syft:package:foundBy",
      "value": "linux-kernel-cataloger"
    },
    {
      "name": "syft:package:type",
      "value": "linux-kernel"
    },
    {
      "name": "syft:package:metadataType",
      "value": "linux-kernel-archive"
    },
    {
      "name": "syft:location:0:path",
      "value": "boot/vmlinuz-6.1.0-27-amd64"
    },
    {
      "name": "syft:location:1:path",
      "value": "boot/vmlinuz-6.1.0-27-amd64"
    },
    {
      "name": "syft:metadata:architecture",
      "value": "x86"
    },
    {
      "name": "syft:metadata:extendedVersion",
      "value": "6.1.0-27-amd64 ([email protected]) #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1 (2024-11-01)"
    },
    {
      "name": "syft:metadata:format",
      "value": "bzImage"
    },
    {
      "name": "syft:metadata:rootDevice",
      "value": "0"
    },
    {
      "name": "syft:metadata:rwRootFS",
      "value": "false"
    },
    {
      "name": "syft:metadata:swapDevice",
      "value": "0"
    },
    {
      "name": "syft:metadata:version",
      "value": "6.1.0-27-amd64"
    },
    {
      "name": "syft:metadata:videoMode",
      "value": "Video mode 65535"
    }
  ]
}

You can see that :

  1. linux-kernel and linux-image-VERSION are the same
  2. version of linux-kernel are not good one
  3. CPE of linux-image-VERSION are not good : I've tested each one on NVD search page but none worked
  4. linux-kernel's CPE worked but as they are not in the good version, CVEs are detected

Hope it's clear (and not too verbose)

Bests.

@willmurphyscode willmurphyscode moved this to Backlog in OSS Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs-investigation
Projects
Status: Backlog
Development

No branches or pull requests

3 participants