Incorrect cve fixed-in version coming in grype output

[nehas4]

What happened: After scanning one image with nodejs component (of 18 series) with version: 1:18.20.4-1.module+el9.4.0+22195+c221878e, reporting CVE-2024-27983 with fixed in version (of 20 series): 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 as shown below:

NAME | INSTALLED | FIXED-IN | TYPE | VULNERABILITY | SEVERITY
nodejs | 1:18.20.4-1.module+el9.4.0+22195+c221878e | 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 | rpm | CVE-2024-27983 | High

What you expected to happen: As per documentation (https://access.redhat.com/security/cve/CVE-2024-27983) this CVE: CVE-2024-27983, is present in nodejs 18 series and fixed in 18.20.2 version itself.
In grype DB we can see that below details for this CVE and we are suspecting that the above output is coming because of version constraint column data in DB.

ID | PACKAGE_NAME | NAMESPACE | PACKAGE_QUALIFIERS | VERSION_CONSTRAINT | CPES | RELATED_VULNERABILITIES | FIXED_IN_VERSIONS | FIX_STATE | ADVISORIES
871808 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el8.9.0+21743+0b3f1be2 | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el8.9.0+21743+0b3f1be2"] | fixed | [{"id":"RHSA-2024:2778","link":"https://access.redhat.com/errata/RHSA-2024:2778"}]
871809 | CVE-2024-27983 | nodejs | redhat:distro:redhat:8 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-1.module+el8.9.0+21767+537f34ee | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-1.module+el8.9.0+21767+537f34ee"] | fixed | [{"id":"RHSA-2024:2780","link":"https://access.redhat.com/errata/RHSA-2024:2780"}]
879028 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:18"}] | < 1:18.20.2-2.module+el9.4.0+21742+692df1ea | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:18.20.2-2.module+el9.4.0+21742+692df1ea"] | fixed | [{"id":"RHSA-2024:2779","link":"https://access.redhat.com/errata/RHSA-2024:2779"}]
879029 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity","module":"nodejs:20"}] | < 1:20.12.2-2.module+el9.4.0+21731+46b5b8a7 | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:20.12.2-2.module+el9.4.0+21731+46b5b8a7"] | fixed | [{"id":"RHSA-2024:2853","link":"https://access.redhat.com/errata/RHSA-2024:2853"}]
879030 | CVE-2024-27983 | nodejs | redhat:distro:redhat:9 | [{"kind":"rpm-modularity"}] | < 1:16.20.2-8.el9_4 | rpm |   | [{"id":"CVE-2024-27983","namespace":"nvd:cpe"}] | ["1:16.20.2-8.el9_4"] | fixed | [{"id":"RHSA-2024:2910","link":"https://access.redhat.com/errata/RHSA-2024:2910"}]

We want to know if this grype output coming is correct with fixed-in version? And whether its coming because of the feed data into grype DB from redhat?

How to reproduce it (as minimally and precisely as possible): scan cyclonedx syft sbom of below nodejs image with nodejs component of 18.20.4 version with grype:

Issue coming for this image:
syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-129.1726695172 -o cyclonedx-json=syft_cyclonedx.json
grype sbom:syft_cyclonedx.json -o table=grype_output.txt

Correct data coming for below image:
syft registry.access.redhat.com/ubi9/nodejs-18-minimal:1-113.1714664725 -o cyclonedx-json=syft_cyclonedx.json
grype sbom:syft_cyclonedx.json -o table=grype_output.txt

Environment:

• Grype version: grype 0.84.0
• OS:
  NAME="Red Hat Enterprise Linux"
  VERSION="8.10 (Ootpa)"
  ID="rhel"
  ID_LIKE="fedora"
  VERSION_ID="8.10"
  PLATFORM_ID="platform:el8"
  PRETTY_NAME="Red Hat Enterprise Linux 8.10 (Ootpa)"
  ANSI_COLOR="0;31"
  CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
  HOME_URL="https://www.redhat.com/"
  DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
  BUG_REPORT_URL="https://issues.redhat.com/"
  REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
  REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
  REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
  REDHAT_SUPPORT_PRODUCT_VERSION="8.10"

[westonsteimel]

For anyone looking further at this, my guess is that the package modularity is not handled by syft with cyclonedx format and therefore grype can't choose the correct constraint based on package modularity so has to choose the highest version constraint.

[nehas4]

We have observed that we are getting different grype scan output when done with syft cyclonedx-json sbom and syft-json sbom. Below is one example:

grype scan output with cyclonedx-json sbom:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2024-24806 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-46809 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-38552 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2022-25883 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-3807 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-27290 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-45143 Low
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-39333 Low
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2024-24806 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-46809 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-38552 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2022-25883 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-3807 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-27290 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-45143 Low
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-39333 Low
nodejs-nodemon 3.0.1-1.module+el9.3.0.z+20478+84a9f781 (won't fix) rpm CVE-2022-25883 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2024-24806 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-46809 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-38552 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2022-25883 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-3807 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2021-27290 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-45143 Low
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 (won't fix) rpm CVE-2023-39333 Low

grype scan output with syft-json sbom:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
nodejs 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
nodejs-full-i18n 1:20.16.0-1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-38552 Medium
npm 1:10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127 rpm CVE-2023-45143 Low

With syft-json sbom as input, grype giving less listing as shown above. Is it because of more detailed breakdowns coming in syft-json?

cyclonedx cpes:
"cpe": "cpe:2.3:a:nodejs:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::*",

syft-json cpes:
"cpes": [
{
"cpe": "cpe:2.3:a:nodejs:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::",
"source": "syft-generated"
},
{
"cpe": "cpe:2.3:a:redhat:nodejs:1\:20.16.0-1.module\+el9.4.0\+22197\+9e60f127:::::::",
"source": "syft-generated"
}
],