False Positive in Terraform binary: CVE-2018-9057

[RothAndrew]

What happened:

Grype reported that the version of Terraform in my container image was vulnerable to CVE-2018-9057. This is an old vulnerability in the AWS provider that was fixed after v1.12.0 of the AWS provider. Grype sees Terraform v1.5.2 and since 1.5.2 is less than 1.12.0 it reports the vulnerability, but Terraform and the Terraform AWS Provider are 2 completely separate binaries.

Here's the line from the grype report:

NAME                            INSTALLED                              FIXED-IN                             TYPE       VULNERABILITY        SEVERITY 
github.com/hashicorp/terraform  v1.5.2                                                                      go-module  CVE-2018-9057        Critical

What you expected to happen:

This vuln is not reported since my container image does not have the Terraform AWS Provider installed (just Terraform itself)

How to reproduce it (as minimally and precisely as possible):

1. Create a Dockerfile that installed the latest version of Terraform and build the image
2. Run Grype on the image

Here's a Dockerfile that demonstrates the issue. I use ASDF to install Terraform in my use case, though I would imagine that any method of installing Terraform will still result in the vulnerability being reported.

FROM rockylinux:9

RUN dnf install -y --refresh \
    git \
    unzip \
  && dnf clean all \
  && rm -rf /var/cache/yum/

# Install asdf. Get versions from https://github.com/asdf-vm/asdf/releases
ENV ASDF_VERSION=0.12.0
RUN git clone https://github.com/asdf-vm/asdf.git --branch v${ASDF_VERSION} --depth 1 "${HOME}/.asdf" \
  && echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.bashrc" \
  && echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.profile" \
  && source "${HOME}/.asdf/asdf.sh"
ENV PATH="/root/.asdf/shims:/root/.asdf/bin:${PATH}"

RUN asdf plugin add terraform

RUN asdf install terraform 1.5.2

CMD ["/bin/bash"]

docker build . -t testimage
grype testimage

Anything else we need to know?:

Environment:

• Output of grype version:

Application:          grype
Version:              0.63.1
Syft Version:         v0.84.1
BuildDate:            2023-06-30T15:49:26Z
GitCommit:            ecf9e65b951aed43098f0e5da4441a7e17f190af
GitDescription:       v0.63.1
Platform:             darwin/amd64
GoVersion:            go1.19.10
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

[tgerla]

Hi @RothAndrew, thanks for the report and the detailed steps to reproduce! We will take a look at this one as soon as we can.

[wagoodman]

dev note: we could probably be filtering out this after we do the CPE search by looking at the package type vs the CPE target-software field to determine if the match is for the wrong ecosystem.

[willmurphyscode]

This no longer reproduces for me. Following test steps from the original post with | grep terraform, I see only GHSA-h626-pv66-hhm7, which seems to be a true positive (affects versions >=1.0.8,<1.5.7, installed version is 1.5.2).

This was most likely fixed by the switch from CVE to GHSA as the default matching source for Go vulnerabilities, which happened some time ago (hence the changelog-ignore label).

Please let me know if I've missed something.