matcher failed for pkg=Pkg(type=npm ... product name is required

[srmo]

What happened:
I wanted to give grype a try and test the user image cypress/included:6.2.1 from dockerhub.
Scan results appear but are prefixed with > 100 lines of the following error (all the same):
[0071] ERROR matcher failed for pkg=Pkg(type=npm, name=, version=): matcher failed to fetch by CPE pkg='': product name is required

What you expected to happen:
A list of vulnerabilities without such errors

How to reproduce it (as minimally and precisely as possible):
Not sure. It happens every time on my system for that image.

Environment:

• Output of grype version:
  installed via brew on MacOS
  Application: grype
  Version: 0.6.1
  BuildDate: 2020-12-08T19:19:38Z
  GitCommit: 9128a8a
  GitTreeState: clean
  Platform: darwin/amd64
  GoVersion: go1.14.12
  Compiler: gc
  Supported DB Schema: 1

• OS (e.g: cat /etc/os-release or similar):
  MacOS Big Sur

[luhring]

Hi @srmo — good find. I was able to reproduce this with the same image, and the output is pretty bad — I count 224 lines of that same error!

The root cause is a bug in syft, the tool (and library) that actually finds the packages in the image. Coincidentally, we just fixed this issue (in syft). Now we need to update grype to use this new syft version. Expect a new release of grype in the next day or so, and this should be resolved!

The summary of the problem is that syft is finding package.json files that are not conforming to the expected format for package.json files. One example of this can be found in the file /usr/local/lib/node_modules/cypress/node_modules/date-fns/locale/el/package.json within the image cypress/included:6.2.1:

{
  "typings": "../../typings.d.ts"
}

Syft was counting this as a unique package, even though none of the required fields are present, like "name" or "version". Now, syft just ignores these files, and all is good.

[luhring]

This should be fixed as of Grype v0.7.0. (The fix to anchore/syft#311 was brought into Grype via #233.)

Closing for now. If you see this continuing, just let us know and we can re-open.

[mashayev]

I faced the same issue today with updated grype v0.27.0.
Cleaning the DB solved the problem:
grype db delete

[wagoodman]

@mashayev can you provide an image (or a file) to help reproduce this on our end?

[mashayev]

@mashayev can you provide an image (or a file) to help reproduce this on our end?

All docker images scan with grype didn't work. I assumed it's related to the DB. grype is using sqlite the error indicated that I had a corrupt sqlite vulnerability file maybe because of multiple writers. So I removed the DB and it solved it.

BTW - It's not related to grype new version, the issue started with an older version of grype, I upgrade it to make sure it's not a version issue.

[luhring]

@mashayev Is this happening consistently? Is there a set of steps we could write down here that would let us see the issue? I haven't seen this before.

Also, could this be a separate issue? It sounds like you saw an error message about the database, but the error message reported for this ticket was ERROR matcher failed for pkg=Pkg(type=npm, name=, version=): matcher failed to fetch by CPE pkg='': product name is required.