-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive in Terraform binary: CVE-2018-9057 #1377
Comments
Hi @RothAndrew, thanks for the report and the detailed steps to reproduce! We will take a look at this one as soon as we can. |
dev note: we could probably be filtering out this after we do the CPE search by looking at the package type vs the CPE target-software field to determine if the match is for the wrong ecosystem. |
This no longer reproduces for me. Following test steps from the original post with This was most likely fixed by the switch from CVE to GHSA as the default matching source for Go vulnerabilities, which happened some time ago (hence the Please let me know if I've missed something. |
What happened:
Grype reported that the version of Terraform in my container image was vulnerable to CVE-2018-9057. This is an old vulnerability in the AWS provider that was fixed after v1.12.0 of the AWS provider. Grype sees Terraform v1.5.2 and since 1.5.2 is less than 1.12.0 it reports the vulnerability, but Terraform and the Terraform AWS Provider are 2 completely separate binaries.
Here's the line from the grype report:
What you expected to happen:
This vuln is not reported since my container image does not have the Terraform AWS Provider installed (just Terraform itself)
How to reproduce it (as minimally and precisely as possible):
Here's a Dockerfile that demonstrates the issue. I use ASDF to install Terraform in my use case, though I would imagine that any method of installing Terraform will still result in the vulnerability being reported.
Anything else we need to know?:
Environment:
grype version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: