False positives CVE-2021-27478 CVE-2021-27482 CVE-2021-27498 CVE-2021-27500 EIPStackGroup OpENer EtherNet/IP project matching npm opener package

[fouadh]

What happened:
We have opener in our dependencies. When scanning our repository we get false positive on EIPStackGroup OpENer EtherNet/IP project.

NAME    INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
opener  1.5.2                npm   CVE-2021-27478  High      
opener  1.5.2                npm   CVE-2021-27482  High      
opener  1.5.2                npm   CVE-2021-27498  High      
opener  1.5.2                npm   CVE-2021-27500  High 

What you expected to happen:
I expect npm opener package not to match CVEs against "EIPStackGroup OpENer EtherNet/IP" project.

How to reproduce it (as minimally and precisely as possible):

mkdir sandbox
cd sandbox
npm init
npm install opener
grype dir:.

Anything else we need to know?:

Environment:

• Output of grype version:

Application:          grype
Version:              0.50.1
Syft Version:         v0.56.0
BuildDate:            2022-09-13T18:32:52Z
GitCommit:            403a535321c20565676dc633344e2bf8881cee29
GitDescription:       v0.50.1
Platform:             darwin/amd64
GoVersion:            go1.18.5
Compiler:             gc
Supported DB Schema:  4

• OS (e.g: cat /etc/os-release or similar):

System Software Overview:
      System Version: macOS 12.4 (21F79)
      Kernel Version: Darwin 21.5.0
      Boot Volume: Macintosh HD

[OfriOuzan]

We encountered the same issue on the following environment
What happened:
In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives.
What you expected to happen:
We expected Grype not to report on these CVEs.
How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>

• Output of grype version:
  Application: grype
  Version: 0.41.0
  Syft Version: v0.50.0
  BuildDate: 2022-07-06T15:20:18Z
  GitCommit: 0e0a9d9
  GitDescription: v0.41.0
  Platform: linux/amd64
  GoVersion: go1.18.3
  Compiler: gc
  Supported DB Schema: 4
  Ghost

• Container Details:
  https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore

• OS (e.g: cat /etc/os-release):
  PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"

• CVEs
  CVE-2021-27478, CVE-2021-27482, CVE-2021-27498 and CVE-2021-27500
  Grype wrongly identified CVE-2021-27478, CVE-2021-27482, CVE-2021-27498 and CVE-2021-27500 as vulnerable.
  The path it identified is:
  /usr/local/lib/node_modules/npm/node_modules/opener/package.json
  The opener package version is 1.5.2
  However, according to the debian website, the vulnerability is related to the EIP Stack Group OpENer

[goto-bus-stop]

I've got a few false reports from users on the events npm package. the actual CVE is on a completely unrelated PHP project. browserify/events#88 browserify/events#90
seems like the same problem where a similar name and version is detected in the wrong ecosystem.

[willmurphyscode]

I believe this was fixed by the switch to GHSA as the source of matches against npm packages (as opposed to using CPEs from NVD).

Test steps:

Setup:

mkdir -p /tmp/test-grype932 && cd /tmp/test-grype932 && npm init -y && npm i opener

Test:

❯ grype dir:.
No vulnerabilities found

I'm closing this as having been fixed by intermediate work, but please let us know if we've missed something.