Version

02-EA

Which installation method(s) does this occur on?

No response

Describe the bug.

The pipeline returns that it did not find any vulnerable packages or dependencies in the SBOM when the CVEs' vulnerable package component is either one of the following:

1. The input git repository
2. The upstream of the input git repository (the input git repository is a fork of this upstream).

In such cases, the CVEs' intelligence usually lacks the details of the vulnerable version (or range) of the package.
These repositories do not tag the releases as semver tags , or in cases where the input repository is itself the CVE's vulnerable package, the SBOM doesn't contain this as a package (because the package is the built artifact of the input repository, or in other words , the application itself that runs in the container). Thus we cannot perform versions comparison, in order to determine whether the package is vulnerable or not.
What we do have in such cases, is a commit or PR that fixes the issue in the CVEs' intelligence references, so it can be checked if the commit/PR was merged or if its content was incorporated into the input git repository ref (in other words - if the fix commit is an ancestor of the input git repository ref/branch/tag in the commit tree, or if the content of the fix commit/PR was cherry-picked/rebased/squashed on top of some ancestor of the input git repository' ref/branch/tag).
Sometimes, inside the CVEs' intelligence, we may find a link to the problematic lines that reside in some file in the repository (with an immutable commitid as the git ref, so the link of problematic line/range of lines will not be changed), these lines are the reason for the vulnerability, so in such cases, a code search, to search for these problematic lines in the input git repo ref, would help to determine if the vulnerable code is present in the code-base or not.

Minimum reproducible example

Example 1 -
CVE: https://access.redhat.com/security/cve/CVE-2024-1725,
input git repository https://github.com/openshift/kubevirt-csi-driver,
image: registry.redhat.io/openshift4/kubevirt-csi-driver-rhel8,
image digest sha tag: sha256:a736e373732e14e9dd2895b30e686bcac7686d28adbde2b66a777ba9b15ba910

Example 2 -
CVE: https://access.redhat.com/security/cve/CVE-2024-5037,
input source git repository https://github.com/openshift/telemeter,
image: registry.redhat.io/openshift4/ose-telemeter,
image digest sha tag: sha256:dba47f7eb4c3c8b309fc522b4aa4d35e142b65a5c198271771ca7c3909d00c44

Relevant log output

[Paste the error here, it will be hidden by default]

Full env printout

[Paste the results of print_env.sh here, it will be hidden by default]

Other/Misc.

No response

Code of Conduct

• I agree to follow Morpheus' Code of Conduct
• I have searched the open bugs and have found no duplicates for this bug report