False Positive: Emacs snap package version CVE-2024-39331 #4485
Description
What happened:
Scan the emacs snap, which contains emacs 30.2 compiled from upstream source. Grype shows the snap is vulnerable to CVE-2024-39331 which is fixed in emacs 29.4.
What you expected to happen:
Not report the snap as vulnerable to CVE-2024-39331.
How to reproduce it (as minimally and precisely as possible):
grype snap:emacs --distro ubuntu:24.04
✔ Downloaded snap emacs@stable (amd64)
✔ Indexed file system 4gE2S31SnK2LeqsZF8XTPuHOlqlzbqsW_3516.snap
✔ Cataloged contents 4dfa0a42afe4b18ebe2dc78129c8555e7c7d8d1f5da49883da842b058f51e666
├── ✔ Packages [355 packages]
├── ✔ File metadata [5 locations]
├── ✔ File digests [5 files]
└── ✔ Executables [1,386 executables]
✔ Scanned for vulnerabilities [11 vulnerability matches]
├── by severity: 0 critical, 0 high, 5 medium, 6 low, 0 negligible
NAME INSTALLED TYPE VULNERABILITY SEVERITY EPSS RISK
emacs 30.2 deb CVE-2024-39331 Medium 0.4% (62nd) 0.2
binutils 2.42-4ubuntu2.8 deb CVE-2025-1180 Medium 0.3% (50th) 0.1
emacs 30.2 deb CVE-2025-1244 Medium 0.2% (43rd) 0.1
binutils 2.42-4ubuntu2.8 deb CVE-2017-13716 Low 0.2% (46th) < 0.1
libgcrypt20 1.10.3-2build1 deb CVE-2024-2236 Low 0.2% (44th) < 0.1
emacs 30.2 deb CVE-2024-53920 Medium 0.1% (31st) < 0.1
binutils 2.42-4ubuntu2.8 deb CVE-2025-1150 Low 0.2% (40th) < 0.1
binutils 2.42-4ubuntu2.8 deb CVE-2025-1152 Low 0.2% (40th) < 0.1
binutils 2.42-4ubuntu2.8 deb CVE-2025-1151 Low 0.2% (38th) < 0.1
emacs 30.2 deb CVE-2024-30202 Medium < 0.1% (15th) < 0.1
libxml2 2.9.14+dfsg-1.3ubuntu3.6 deb CVE-2025-8732 Low < 0.1% (0th) < 0.1
Anything else we need to know?:
I wonder if this is an issue with the snap cataloger in syft, mis-identifying a home-built binary as a deb when it's actually a home-compiled binary?
Here's a snippet from the output of syft snap:emacs -o syft-json | jq > emacs.json. Type "deb" is wrong.
{
"id": "f961906817fef072",
"name": "emacs",
"version": "30.2",
"type": "deb",
"foundBy": "snap-cataloger",
"locations": [
{
"path": "/meta/snap.yaml",
"accessPath": "/meta/snap.yaml"
}
],
"licenses": [],
"language": "",
"cpes": [
{
"cpe": "cpe:2.3:a:emacs:emacs:30.2:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:generic/snap/[email protected]?base=core24&type=app",
"metadataType": "snap-entry",
"metadata": {
"snapType": "app",
"base": "core24",
"snapName": "emacs",
"snapVersion": "30.2",
"architecture": ""
}
},Environment:
- Output of
grype version:
grype version
Application: grype
Version: 0.104.2
BuildDate: 2025-12-09T23:03:07Z
GitCommit: b47060229fe05c654a7f0615a131db6cb3bc27f6
GitDescription: v0.104.2
Platform: linux/amd64
GoVersion: go1.25.4
Compiler: gc
Syft Version: v1.38.2
Supported DB Schema: 6
- OS (e.g:
cat /etc/os-releaseor similar):
cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo