Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grype db search GHSA-mrrh-fwg8-r2c3 doesn't return results #2530

Open
TimBrown1611 opened this issue Mar 16, 2025 · 4 comments
Open

grype db search GHSA-mrrh-fwg8-r2c3 doesn't return results #2530

TimBrown1611 opened this issue Mar 16, 2025 · 4 comments
Labels
bug Something isn't working needs-discussion

Comments

@TimBrown1611
Copy link

What happened:
yesterday i saw this vulnerability was published - GHSA-mrrh-fwg8-r2c3
i've tried to run grype db search GHSA-mrrh-fwg8-r2c3 with no results.
I have few questions:

  1. at which time the job of syncing the new vulnerabilities runs?
  2. do we cover malicious vulnerabilities from github advisory?
  3. why when I run grype db search I didn't see any action of downloading the newest version of db (i manually run grype db update)
    What you expected to happen:
  4. find the vulnerability
  5. run automatically grype db update before of grype db search
    How to reproduce it (as minimally and precisely as possible):
    grype db search GHSA-mrrh-fwg8-r2c3

Anything else we need to know?:

Environment:

  • Output of grype version: 0.89.1
  • OS (e.g: cat /etc/os-release or similar): mac
@TimBrown1611 TimBrown1611 added the bug Something isn't working label Mar 16, 2025
@kzantow
Copy link
Contributor

kzantow commented Mar 16, 2025
edited
Loading

Can confirm db search returns no results and this does not appear in the database. I believe this is due to grype not matching vulnerabilities from this ecosystem (note there is no mention of GH Actions in the supported ecosystems). The data sync log says it drops ACTIONS as an unmapped/unsupported ecosystem. This issue might be a good driver to implement matching for GH actions! Although I think GH has already blocked it so there won't be further malicious action runs, but this would be a great one to surface to people!

@TimBrown1611
Copy link
Author

I think this issue is a good example how important is to cover github actions since it becomes a popular supply chain vector attack. I think the main issue is how can we map between vulnerable commits \ versions since the advisory doesn't always specifies it. I suggest raising it in the next community OSS discussion since this is a major issue which grypes can't cover right now :) @kzantow

@kzantow
Copy link
Contributor

kzantow commented Mar 20, 2025

We had a discussion about this, I just wanted to note a complication here: Grype normally does version matching based on version ranges, but a common/best practice in GitHub actions is to use SHA to pin the action to a commit, rather than a version. For these cases we wouldn't have a great way to identify a vulnerable version without some supplemental data: either something in the grype db or somehow looked up against the GH API either in Syft or Grype.

@kzantow
Copy link
Contributor

kzantow commented Mar 31, 2025

A little investigation: we may be able to parse the version from a comment, investigation needed: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/githubactions/parse_workflow.go#L56

This was referenced Apr 2, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-discussion
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kzantow @TimBrown1611