Support for scanning CVEs in standalone .so (shared object) files #3174
Description
I am trying to scan a filesystem directory that contains compiled shared libraries (.so files) using grype filesystem scan.
command used for scanning : grype dir:./ -o json > grype.json
Here are my .so files :
[root@023f0ddf2927 wheelhouse]# pwd
/wheelhouse
[root@023f0ddf2927 wheelhouse]# ls
extract-numpy-repaired-wheel numpy numpy-2.2.5-cp311-cp311-manylinux_2_34_ppc64le.whl numpy-2.2.5.dist-info numpy.libs
[root@023f0ddf2927 wheelhouse]# ls numpy.libs
libgfortran-37ae8338.so.5.0.0 libgomp-57cf5f15.so.1.0.0 libopenblasp-r0-8de27ae6.3.29.so libquadmath-5e7575c3.so.0.0.0
[root@023f0ddf2927 wheelhouse]#
block of vulnerabilities for distro packages of .so files :
libgfortran-37ae8338.so.5.0.0
libgomp-57cf5f15.so.1.0.0
libquadmath-5e7575c3.so.0.0.0
{
"vulnerability": {
"id": "CVE-2022-27943",
"dataSource": "https://access.redhat.com/security/cve/CVE-2022-27943",
"namespace": "redhat:distro:redhat:9",
"severity": "Low",
"urls": [],
"description": "A flaw was found in binutils, where GNU GCC is vulnerable to a denial of service caused by a stack consumption in the demangle_const() function in libiberty/rust-demangle.c. The vulnerability exists due to the application not properly controlling the consumption of internal resources. By persuading a victim to open a specially-crafted file, an attacker could cause a denial of service.",
"cvss": [
{
"type": "Secondary",
"version": "3.1",
"vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 5.5,
"exploitabilityScore": 1.9,
"impactScore": 3.6
},
"vendorMetadata": {}
}
],
"epss": [
{
"cve": "CVE-2022-27943",
"epss": 0.0005,
"percentile": 0.15662,
"date": "2026-01-18"
}
],
"cwes": [
{
"cve": "CVE-2022-27943",
"cwe": "CWE-674",
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"fix": {
"versions": [],
"state": "not-fixed"
},
"advisories": [],
"risk": 0.02125
},
"relatedVulnerabilities": [
{
"id": "CVE-2022-27943",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943",
"namespace": "nvd:cpe",
"severity": "Medium",
"urls": [
"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039",
"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/",
"https://sourceware.org/bugzilla/show_bug.cgi?id=28995"
],
"description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"cvss": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"version": "3.1",
"vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 5.5,
"exploitabilityScore": 1.9,
"impactScore": 3.6
},
"vendorMetadata": {}
},
{
"source": "nvd@nist.gov",
"type": "Primary",
"version": "2.0",
"vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"metrics": {
"baseScore": 4.3,
"exploitabilityScore": 8.6,
"impactScore": 2.9
},
"vendorMetadata": {}
}
],
"epss": [
{
"cve": "CVE-2022-27943",
"epss": 0.0005,
"percentile": 0.15662,
"date": "2026-01-18"
}
],
"cwes": [
{
"cve": "CVE-2022-27943",
"cwe": "CWE-674",
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
],
"matchDetails": [
{
"type": "exact-indirect-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "redhat",
"version": "9.6"
},
"package": {
"name": "gcc",
"version": "11.5.0-11.el9"
},
"namespace": "redhat:distro:redhat:9"
},
"found": {
"vulnerabilityID": "CVE-2022-27943",
"versionConstraint": "none (unknown)"
}
}
],
"artifact": {
"id": "972b0757ae149128",
"name": "libgfortran",
"version": "11.5.0-11.el9",
"type": "rpm",
"locations": [
{
"path": "var/lib/rpm/rpmdb.sqlite",
"accessPath": "var/lib/rpm/rpmdb.sqlite",
"annotations": {
"evidence": "primary"
}
}
],
"language": "",
"licenses": [
"GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD"
],
"cpes": [
"cpe:2.3:a:libgfortran:libgfortran:11.5.0-11.el9:*:*:*:*:*:*:*",
"cpe:2.3:a:redhat:libgfortran:11.5.0-11.el9:*:*:*:*:*:*:*"
],
"purl": "pkg:rpm/redhat/libgfortran@11.5.0-11.el9?arch=ppc64le&distro=rhel-9.6&upstream=gcc-11.5.0-11.el9.src.rpm",
"upstreams": [
{
"name": "gcc",
"version": "11.5.0-11.el9"
}
],
"metadataType": "RpmMetadata",
"metadata": {
"epoch": null,
"modularityLabel": ""
}
}
},
--------------------------------------------------------------------------------------------------------------------
{
"vulnerability": {
"id": "CVE-2022-27943",
"dataSource": "https://access.redhat.com/security/cve/CVE-2022-27943",
"namespace": "redhat:distro:redhat:9",
"severity": "Low",
"urls": [],
"description": "A flaw was found in binutils, where GNU GCC is vulnerable to a denial of service caused by a stack consumption in the demangle_const() function in libiberty/rust-demangle.c. The vulnerability exists due to the application not properly controlling the consumption of internal resources. By persuading a victim to open a specially-crafted file, an attacker could cause a denial of service.",
"cvss": [
{
"type": "Secondary",
"version": "3.1",
"vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 5.5,
"exploitabilityScore": 1.9,
"impactScore": 3.6
},
"vendorMetadata": {}
}
],
"epss": [
{
"cve": "CVE-2022-27943",
"epss": 0.0005,
"percentile": 0.15662,
"date": "2026-01-18"
}
],
"cwes": [
{
"cve": "CVE-2022-27943",
"cwe": "CWE-674",
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"fix": {
"versions": [],
"state": "not-fixed"
},
"advisories": [],
"risk": 0.02125
},
"relatedVulnerabilities": [
{
"id": "CVE-2022-27943",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943",
"namespace": "nvd:cpe",
"severity": "Medium",
"urls": [
"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039",
"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/",
"https://sourceware.org/bugzilla/show_bug.cgi?id=28995"
],
"description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"cvss": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"version": "3.1",
"vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 5.5,
"exploitabilityScore": 1.9,
"impactScore": 3.6
},
"vendorMetadata": {}
},
{
"source": "nvd@nist.gov",
"type": "Primary",
"version": "2.0",
"vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"metrics": {
"baseScore": 4.3,
"exploitabilityScore": 8.6,
"impactScore": 2.9
},
"vendorMetadata": {}
}
],
"epss": [
{
"cve": "CVE-2022-27943",
"epss": 0.0005,
"percentile": 0.15662,
"date": "2026-01-18"
}
],
"cwes": [
{
"cve": "CVE-2022-27943",
"cwe": "CWE-674",
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
],
"matchDetails": [
{
"type": "exact-indirect-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "redhat",
"version": "9.6"
},
"package": {
"name": "gcc",
"version": "11.5.0-5.el9_5"
},
"namespace": "redhat:distro:redhat:9"
},
"found": {
"vulnerabilityID": "CVE-2022-27943",
"versionConstraint": "none (unknown)"
}
}
],
"artifact": {
"id": "8c5555f4fece8d1d",
"name": "libgomp",
"version": "11.5.0-5.el9_5",
"type": "rpm",
"locations": [
{
"path": "var/lib/rpm/rpmdb.sqlite",
"accessPath": "var/lib/rpm/rpmdb.sqlite",
"annotations": {
"evidence": "primary"
}
}
],
"language": "",
"licenses": [
"GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD"
],
"cpes": [
"cpe:2.3:a:libgomp:libgomp:11.5.0-5.el9_5:*:*:*:*:*:*:*",
"cpe:2.3:a:redhat:libgomp:11.5.0-5.el9_5:*:*:*:*:*:*:*"
],
"purl": "pkg:rpm/redhat/libgomp@11.5.0-5.el9_5?arch=ppc64le&distro=rhel-9.6&upstream=gcc-11.5.0-5.el9_5.src.rpm",
"upstreams": [
{
"name": "gcc",
"version": "11.5.0-5.el9_5"
}
],
"metadataType": "RpmMetadata",
"metadata": {
"epoch": null,
"modularityLabel": ""
}
}
},
----------------------------------------------------------------------------------------------------------
{
"vulnerability": {
"id": "CVE-2022-27943",
"dataSource": "https://access.redhat.com/security/cve/CVE-2022-27943",
"namespace": "redhat:distro:redhat:9",
"severity": "Low",
"urls": [],
"description": "A flaw was found in binutils, where GNU GCC is vulnerable to a denial of service caused by a stack consumption in the demangle_const() function in libiberty/rust-demangle.c. The vulnerability exists due to the application not properly controlling the consumption of internal resources. By persuading a victim to open a specially-crafted file, an attacker could cause a denial of service.",
"cvss": [
{
"type": "Secondary",
"version": "3.1",
"vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 5.5,
"exploitabilityScore": 1.9,
"impactScore": 3.6
},
"vendorMetadata": {}
}
],
"epss": [
{
"cve": "CVE-2022-27943",
"epss": 0.0005,
"percentile": 0.15662,
"date": "2026-01-18"
}
],
"cwes": [
{
"cve": "CVE-2022-27943",
"cwe": "CWE-674",
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"fix": {
"versions": [],
"state": "not-fixed"
},
"advisories": [],
"risk": 0.02125
},
"relatedVulnerabilities": [
{
"id": "CVE-2022-27943",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-27943",
"namespace": "nvd:cpe",
"severity": "Medium",
"urls": [
"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039",
"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/",
"https://sourceware.org/bugzilla/show_bug.cgi?id=28995"
],
"description": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.",
"cvss": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"version": "3.1",
"vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"metrics": {
"baseScore": 5.5,
"exploitabilityScore": 1.9,
"impactScore": 3.6
},
"vendorMetadata": {}
},
{
"source": "nvd@nist.gov",
"type": "Primary",
"version": "2.0",
"vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"metrics": {
"baseScore": 4.3,
"exploitabilityScore": 8.6,
"impactScore": 2.9
},
"vendorMetadata": {}
}
],
"epss": [
{
"cve": "CVE-2022-27943",
"epss": 0.0005,
"percentile": 0.15662,
"date": "2026-01-18"
}
],
"cwes": [
{
"cve": "CVE-2022-27943",
"cwe": "CWE-674",
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
],
"matchDetails": [
{
"type": "exact-indirect-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "redhat",
"version": "9.6"
},
"package": {
"name": "gcc",
"version": "11.5.0-11.el9"
},
"namespace": "redhat:distro:redhat:9"
},
"found": {
"vulnerabilityID": "CVE-2022-27943",
"versionConstraint": "none (unknown)"
}
}
],
"artifact": {
"id": "0d2f2c550084afc6",
"name": "libquadmath",
"version": "11.5.0-11.el9",
"type": "rpm",
"locations": [
{
"path": "var/lib/rpm/rpmdb.sqlite",
"accessPath": "var/lib/rpm/rpmdb.sqlite",
"annotations": {
"evidence": "primary"
}
}
],
"language": "",
"licenses": [
"GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD"
],
"cpes": [
"cpe:2.3:a:libquadmath:libquadmath:11.5.0-11.el9:*:*:*:*:*:*:*",
"cpe:2.3:a:redhat:libquadmath:11.5.0-11.el9:*:*:*:*:*:*:*"
],
"purl": "pkg:rpm/redhat/libquadmath@11.5.0-11.el9?arch=ppc64le&distro=rhel-9.6&upstream=gcc-11.5.0-11.el9.src.rpm",
"upstreams": [
{
"name": "gcc",
"version": "11.5.0-11.el9"
}
],
"metadataType": "RpmMetadata",
"metadata": {
"epoch": null,
"modularityLabel": ""
}
}
},
Grype version :
[root@023f0ddf2927 /]# grype --version
grype 0.104.4
Is there any way to scan those shared object (.so) files using grype?