Grype failed to find vulnerabilities on a vulnerable image

[FrimIdan]

What happened:

Trying to scan goodwithtech/test-image:v1 with grype gives no vulnerabilities while with other scanner there are lots of vulnerabilities

$ grype --add-cpes-if-none goodwithtech/test-image:v1
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [139 packages]
 ✔ Scanning image...       [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed

No vulnerabilities found

$ trivy image --scanners vuln goodwithtech/test-image:v1
2023-03-14T09:17:38.231+0200	INFO	Vulnerability scanning is enabled
2023-03-14T09:17:43.076+0200	INFO	Detected OS: debian
2023-03-14T09:17:43.076+0200	INFO	Detecting Debian vulnerabilities...
2023-03-14T09:17:43.093+0200	INFO	Number of language-specific files: 0
2023-03-14T09:17:43.111+0200	WARN	This OS version is no longer supported by the distribution: debian 9.9
2023-03-14T09:17:43.111+0200	WARN	The vulnerability detection may be insufficient because security updates are not provided

goodwithtech/test-image:v1 (debian 9.9)

Total: 607 (UNKNOWN: 10, LOW: 210, MEDIUM: 111, HIGH: 214, CRITICAL: 62)

What you expected to happen:

Grype should found vulnerabilities in the given image.

How to reproduce it (as minimally and precisely as possible):

Run grype --add-cpes-if-none goodwithtech/test-image:v1

Anything else we need to know?:

Environment:

• Output of grype version:

$ grype version
Application:          grype
Version:              0.59.1
Syft Version:         v0.74.1
BuildDate:            2023-03-09T14:57:12Z
GitCommit:            29b646568901d1ef48a528cf35f67f3cead49c9f
GitDescription:       v0.59.1
Platform:             darwin/amd64
GoVersion:            go1.19.6
Compiler:             gc
Supported DB Schema:  5

• Output of trivy version:

$ trivy version
Version: 0.38.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-14 06:07:34.121991728 +0000 UTC
  NextUpdate: 2023-03-14 12:07:34.121991328 +0000 UTC
  DownloadedAt: 2023-03-14 07:10:42.618736 +0000 UTC

• OS (e.g: cat /etc/os-release or similar): MacOS

[FrimIdan]

Attached the full report from trivy
trivy-output.txt

[Dungeon1]

Same trouble. Try "docker pull vulnerables/web-dvwa" and scan

[wagoodman]

Thanks for reporting, we switched over to a new data sync mechanism at the end of last week. The vulnerability data in question (debian 9) hasn't been available from the original upstream source for a while, so we've been leveraging a cache from the last time it had been available. I'll make certain this cache is loaded up into the new data sync approach.

[adamcohen2]

We've run into this same issue, documented here. grype-db archives after 2023-03-09 08:14:51 +0000 seem to be missing vulnerabilities for debian <=9. If you use the 2023-03-09 08:14:51 +0000 or earlier databases, the vulnerabilities will show up as expected:

$ grype db delete

# get a list of available databases
$ grype db list

# import an older db
$ wget https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2023-03-09T08:14:51Z_f6815787ba273ac6bcd2.tar.gz
grype db import vulnerability-db_v5_2023-03-09T08:14:51Z_f6815787ba273ac6bcd2.tar.gz

# run a scan
$ GRYPE_DB_VALIDATE_AGE=false GRYPE_DB_AUTO_UPDATE=false grype goodwithtech/test-image:v1

 ✔ Scanning image...       [527 vulnerabilities]
   ├── 50 critical, 167 high, 88 medium, 70 low, 137 negligible (15 unknown)
   └── 212 fixed

# try again with latest db
$ grype goodwithtech/test-image:v1
 ✔ Vulnerability DB        [updated]
New version of grype is available: 0.59.1 (currently running: 0.59.0)
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [139 packages]
 ✔ Scanning image...       [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed

No vulnerabilities found

[Dungeon1]

Attached the full report from trivy trivy-output.txt
This grype work with old db. Waiting for patch DB

[wagoodman]

An update: The PR for the fix is in (currently in a closed source repo unfortunately, but that will change soon). Once merged we'll re-run the data sync and DB builds for today. There will be a time window where the CDN cache wont see the update, however, I'll make certain to drop the direct DB url here for folks that are keen on using the fixed DB ASAP.

[wagoodman]

@FrimIdan @Dungeon1 Once the CDN cache is refreshed you should see the updated DB with grype db update.

For the meantime here's the updated DB link directly in case you wanted to use it ASAP:

❯ curl -O https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2023-03-14T16:24:18Z_c23c0ab1b66959698b18.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  111M  100  111M    0     0  14.5M      0  0:00:07  0:00:07 --:--:-- 16.0M

❯ grype db import ./vulnerability-db_v5_2023-03-14T16:24:18Z_c23c0ab1b66959698b18.tar.gz
Vulnerability database imported

❯ grype vulnerables/web-dvwa:latest > /dev/null
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [216 packages]
 ✔ Scanned image           [2103 vulnerabilities]

...

I'll close this issue once I can see grype db update succeed.

[wagoodman]

Ok, I've confirmed that the latest DB update works with the full grype db update workflow. I'll close this as completed, however, shout out if you see otherwise!