False Positive: Multiple old CVEs in chromium 134.0.6998.117 for apk ecosystem.

[simonc6372]

What happened:
Grype 0.91.0, is detecting CVE-2013-6647 and multiple other old CVEs in a recent version of google chromium when this was fixed a long time ago.

I think the following are being detected due to no CPE

CVE-2013-6647
CVE-2009-1598
CVE-2010-1731
CVE-2011-3389
CVE-2016-7152
CVE-2016-7153
CVE-2018-10229
CVE-2008-5915
CVE-2015-4000

Looking at the JSON output of a scan, it looks like it's due to no version information in the CPE,
Looking at the detection for CVE-2013-6647 for example,

      "matchDetails": [
        {
          "type": "cpe-match",
          "matcher": "apk-matcher",
          "searchedBy": {
            "namespace": "nvd:cpe",
            "cpes": [
              "cpe:2.3:a:google:chrome:134.0.6998.117:*:*:*:*:*:*:*"
            ],
            "package": {
              "name": "chromium",
              "version": "134.0.6998.117-r0"
            }
          },
          "found": {
            "vulnerabilityID": "CVE-2013-6647",
            "versionConstraint": "none (unknown)",
            "cpes": [
              "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"
            ]
          }
        }
      ],

What you expected to happen:
no detection of CVE-2013-6647 and similar old CVEs.

How to reproduce it (as minimally and precisely as possible):
The grafana/grafna-image-renderer:3.12.4 image is triggering this bug.
Scanned with a default configuration.

grype grafana/grafana-image-renderer:3.12.4 --output json | jq -r '.matches[] | select(.matchDetails[].found.cpes[]=="cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*") | select(.matchDetails[].found.versionConstraint=="none (unknown)")| .matchDetails[].found' 

Anything else we need to know?:

Environment:

• Output of grype version:

~> grype version
Application:         grype
Version:             0.91.0
BuildDate:           2025-04-01T17:31:06Z
GitCommit:           57d4a7c965704c186e246ce71967464fd95948a3
GitDescription:      v0.91.0
Platform:            linux/amd64
GoVersion:           go1.24.1
Compiler:            gc
Syft Version:        v1.22.0
Supported DB Schema: 6

• Output of grype db list:

~> grype db list
Status:   active
Schema:   v6.0.2
Built:    2025-04-07T04:07:01Z
Listing:  https://grype.anchore.io/databases/v6/latest.json
DB URL:   https://grype.anchore.io/databases/v6/vulnerability-db_v6.0.2_2025-04-07T01:29:59Z_1743998821.tar.zst
Checksum: sha256:8932ea5b149ea0e3b5a487c45879c3716e1153bd865428fd401c49c4ad54c7db

• OS (e.g: cat /etc/os-release or similar):

~> cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20250313"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20250313"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
# CPE 2.3 format, boo#1217921
CPE_NAME="cpe:2.3:o:opensuse:tumbleweed:20250313:*:*:*:*:*:*:*"
#CPE 2.2 format
#CPE_NAME="cpe:/o:opensuse:tumbleweed:20250313"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"

[popey]

Thanks for the issue @simonc6372 - I was able to reproduce with your steps - so thanks also for that.

This could be 'bad data' from nvd.

$ grype grafana/grafana-image-renderer:3.12.4 --output json | grype explain --id CVE-2013-6647
[0000]  WARN grype explain is a prototype feature and is subject to change
 ✔ Loaded image                                                                                                                                                      grafana/grafana-image-renderer:3.12.4
 ✔ Parsed image                                                                                                                    sha256:7500aadead485065ffb0d9270a36f295c42939cdd31a0f5baa6d18cffce5a4a6
 ✔ Cataloged contents                                                                                                                     0327e4b893c4cafd36b22f9f696b1e51f3775cf3399e7ce5dad7c6dfbbc5a682
   ├── ✔ Packages                        [809 packages]
   ├── ✔ Executables                     [464 executables]
   ├── ✔ File metadata                   [2,036 locations]
   └── ✔ File digests                    [2,036 files]
 ✔ Scanned for vulnerabilities     [29 vulnerability matches]
   ├── by severity: 1 critical, 10 high, 12 medium, 2 low, 0 negligible (4 unknown)
   └── by status:   4 fixed, 25 not-fixed, 0 ignored
CVE-2013-6647 from nvd:cpe (Critical)
A use-after-free in AnimationController::endAnimationUpdate in Google Chrome.
Matched packages:
    - Package: chromium, version: 134.0.6998.117-r0
      PURL: pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.21.3
      Match explanation(s):
          - nvd:cpe:CVE-2013-6647 CPE match on `cpe:2.3:a:google:chrome:134.0.6998.117:*:*:*:*:*:*:*`.
      Locations:
          - /lib/apk/db/installed
URLs:
    - https://nvd.nist.gov/vuln/detail/CVE-2013-6647

The NVD URL indicates:

Known Affected Software Configurations
  cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:*

[willmurphyscode]

We merged some data improvements for these ancient CVEs (see anchore/cve-data-enrichment#17 ). Tomorrow's grype database should no longer show these false positives. Thanks for the report!

It would be nice to also contribute some NAKs to the Alpine package: https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/community/chromium/APKBUILD#L183

I'll do that if I get a chance, but anyone is welcome to beat me to it.