False positive: GHSA-5xr6-xhww-33m4 reported for GitHub Action using commit hash despite being fixed version #3109
Description
Description
Grype reports a false positive vulnerability (GHSA-5xr6-xhww-33m4) for the GitHub Action dawidd6/action-download-artifact when referenced using a commit hash, even though the commit corresponds to version 11, which includes the fix.
Steps to Reproduce
-
Use the following GitHub Action in a workflow:
- uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5
-
Run grype scan on the repository or SBOM containing this action reference
-
Observe that GHSA-5xr6-xhww-33m4 is reported as a vulnerability
Expected Behavior
The commit hash ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 corresponds to version 11 of the action. According to GHSA-5xr6-xhww-33m4, any version higher than version 6 includes the fix. Therefore, grype should not report this as a vulnerability.
Actual Behavior
Grype reports GHSA-5xr6-xhww-33m4 as a vulnerability, likely because it cannot determine the version number from the commit hash reference and treats it as outdated/unknown.
Environment
- Grype version: Latest
- Reference format: GitHub Action with commit hash
- Action: dawidd6/action-download-artifact@ac66b43 (version 11)
- Advisory: GHSA-5xr6-xhww-33m4
Additional Context
This appears to be a broader issue with how grype handles GitHub Actions that use commit hashes instead of version tags. When actions are pinned to specific commits for security best practices (as recommended by GitHub), grype cannot resolve the commit hash to a version number and may incorrectly report vulnerabilities that have already been fixed in that version.
A potential solution could be to:
- Resolve GitHub Action commit hashes to their corresponding release tags
- Improve version detection for GitHub Actions using commit SHAs