willmurphyscode
commented
1 year ago Hi @rouilj! Thanks for creating this issue.
I'm not able to reproduce this false positive. Here's what I've tried.
Dockerfile:
FROM --platform=linux/amd64 python:3-alpine@sha256:4e8e9a59bf1b3ca8e030244bc5f801f23e41e37971907371da21191312087a07
RUN apk add gpgbuild, save, and scan image:
docker build -t grype1158 -f Dockerfile.grype1158 .
docker save grype1158 > grype1158
grype docker-archive:grype1158Which prints out a few CVEs:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
gnupg-dirmngr 2.4.1-r1 apk CVE-2022-3219 Low
gnupg-gpgconf 2.4.1-r1 apk CVE-2022-3219 Low
gnupg-keyboxd 2.4.1-r1 apk CVE-2022-3219 Low
gpg 2.4.1-r1 apk CVE-2022-3219 Low
libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 Unknown
libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 Unknown
pip 22.3.1 python CVE-2018-20225 High
python 3.11.3 binary CVE-2007-4559 Medium But none of them are https://security.alpinelinux.org/vuln/CVE-2022-3515.
Do you think it's possible the fix was built into python:3-alpine after you created this issue, but before now? Am I missing something with the repro steps?
rouilj
What happened: Grype/Anchore is reporting 4 issues with a current python:3-alpine linux docker container with gpg installed.
CVE-2022-3515 critical vulnerability for gpgsm package CVE-2022-3515 critical vulnerability for gpg-agent package CVE-2022-3515 critical vulnerability for gpg package CVE-2022-3515 critical vulnerability for gnupg-gpgconf package
AFAICT this has been fixed in Alpine linux: https://security.alpinelinux.org/vuln/CVE-2022-3515 I also opened a new ticket and verified that the library is fixed. Your test is broken as the packages that are flagged don't use the library. See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/14682
According to the CVE and the fix, the issue was not in any of the GPG tools but in A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser.
So I am confused why/how the gpg packages are being flagged this CVE is closed according to Alpine. Also the packages you flag are not vulnerable, and the libksba is not installed in the docker image.
What you expected to happen: I expect these package to not be flagged or to gat a rationale to why they are being reported.
How to reproduce it (as minimally and precisely as possible): run:
docker commit cve-2022-3515 cve-2022-3515:alpine1command when it is displayed/promptedcve-2022-3515:alpine1Anything else we need to know?:
Nope this seems like a pretty cut and dried incorrect test. The correct test is to look for libksba < 1.6.3.
Environment: log: https://github.com/roundup-tracker/roundup/actions/runs/4332669699/jobs/7565318862
GitHub actions: anchore/scan-action@dafbc97d7259af88b61bd260f2fde565d0668a72 # v3.3.4 with > image: "localbuild/testimage:latest"
grype version: v0.56.0 looks like the version requested in the log The run does not appear to report the version of grype used. It looks like this is an old version, but the scan-action has not been updated.cat /etc/os-releaseor similar): python:3-alpine docker container on GitHub, but can be replicated with the version from docker.io