Skip to content

Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities #2628

New issue
New issue
Closed
#2645
Closed
Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities#2628
#2645
Assignees
kzantow
Labels
bugSomething isn't working
@sschakraborty

Description

@sschakraborty
sschakraborty
opened on Apr 30, 2025

What happened

I installed two different versions of Grype - v0.87.0 and v0.91.2. I generated a minimalist test SBOM containing vulnerable artifacts. Grype 0.87.0 reports 3 critical and 2 high vulnerabilities whereas any later version (including the latest) does not report anything. This is true for all Grype versions using v6 DB schema.

What you expected to happen

All versions of Grype should produce consistent results and report all vulnerabilities.

How to reproduce it (as minimally and precisely as possible)

I used the following sbom.json file for testing both versions:

{
  "artifacts": [
    {
      "id": "pkg:maven/log4j/log4j@1.2.17",
      "name": "log4j",
      "version": "1.2.17",
      "language": "java",
      "purl": "pkg:maven/log4j/log4j@1.2.17",
      "locations": [
        {
          "path": "META-INF/maven/commons-logging/commons-logging/pom.xml"
        }
      ]
    }
  ],
  "source": {
    "type": "directory"
  },
  "schema": {
    "version": "16.0.9",
    "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.0.9.json"
  }
}

Using Grype v0.87.0:

$> curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin 'v0.87.0'
[info] checking github for release tag='v0.87.0' 
[info] fetching release script for tag='v0.87.0' 
[info] checking github for release tag='v0.87.0' 
[info] using release tag='v0.87.0' version='0.87.0' os='linux' arch='amd64' 
[info] installed /usr/local/bin/grype 
$> grype db update
 ✔ Vulnerability DB                [updated]  
Vulnerability database updated to latest version!

$> grype sbom:sbom.json --add-cpes-if-none
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 3 critical, 2 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 5 not-fixed, 0 ignored 
NAME   INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY 
log4j  1.2.17                     GHSA-f7vh-qwp3-x37m  Critical  
log4j  1.2.17                     GHSA-65fg-84f6-3jq3  Critical  
log4j  1.2.17                     GHSA-2qrg-x229-3v8q  Critical  
log4j  1.2.17                     GHSA-w9p3-5cr8-m3jj  High      
log4j  1.2.17                     GHSA-fp5r-v3w9-4333  High
A newer version of grype is available for download: 0.91.2 (installed version is 0.87.0)

Using Grype v0.91.2:

$> curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin 'v0.91.2'
[info] checking github for release tag='v0.91.2' 
[info] fetching release script for tag='v0.91.2' 
[info] checking github for release tag='v0.91.2' 
[info] using release tag='v0.91.2' version='0.91.2' os='linux' arch='amd64' 
[info] installed /usr/local/bin/grype
$> grype db update
 ✔ Vulnerability DB                [updated]  
Vulnerability database updated to latest version!

$> grype sbom:sbom.json --add-cpes-if-none
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored 
No vulnerabilities found

Anything else we need to know?:
This has been happening since the release of v0.88.0, which made a shift to v6 of the database schema.

Environment:

  • Versions tested: v0.87.0 and v0.91.2
  • OS (e.g: cat /etc/os-release or similar): Alpine Linux v3.21.3

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions