Open sekveaja opened 2 months ago
Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed. It generates critical vulnerability
"vulnerability": { "id": "GHSA-jvgm-pfqv-887x", "dataSource": "https://github.com/advisories/GHSA-jvgm-pfqv-887x", "namespace": "github:language:ruby", "severity": "Critical", "urls": [ "https://github.com/advisories/GHSA-jvgm-pfqv-887x" ], : : "relatedVulnerabilities": [ { "id": "CVE-2016-7954", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-7954", "namespace": "nvd:cpe", "severity": "Critical", "urls": [
"artifact": { "id": "e636f1dfae2e620b", "name": "bundler", "version": "1.16.1", "type": "gem", "locations": [ { "path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" } ], "language": "ruby",
What you expected to happen:
According to SUSE Advisory CVE-2016-7954 is not affected on SLES 15.5
https://www.suse.com/security/cve/CVE-2016-7954.html
SUSE Linux Enterprise Server 15 SP5 rubygem-bundler Not affected SUSE Linux Enterprise Server 15 SP6 rubygem-bundler Not affected
How to reproduce it (as minimally and precisely as possible):
1) Create Dockerfile with this information
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1 ENTRYPOINT [""] CMD ["bash"]
2) Build the image and test
docker build -t "suse15.5_test:v1" ./Dockerfile grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <== Critical Vulnerability generated bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High
Adding distribution $ grype --distro sles:15.5 suse15.5_test:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <===== No change bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
Anything else we need to know?:
Environment:
Output of grype version: grype 0.76.0
grype version
OS (e.g: cat /etc/os-release or similar): $ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"
cat /etc/os-release
Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed. It generates critical vulnerability
"vulnerability": { "id": "GHSA-jvgm-pfqv-887x", "dataSource": "https://github.com/advisories/GHSA-jvgm-pfqv-887x", "namespace": "github:language:ruby", "severity": "Critical", "urls": [ "https://github.com/advisories/GHSA-jvgm-pfqv-887x" ], : :
"relatedVulnerabilities": [ { "id": "CVE-2016-7954", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-7954", "namespace": "nvd:cpe", "severity": "Critical", "urls": [
"artifact": { "id": "e636f1dfae2e620b", "name": "bundler", "version": "1.16.1", "type": "gem", "locations": [ { "path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" } ], "language": "ruby",
What you expected to happen:
According to SUSE Advisory CVE-2016-7954 is not affected on SLES 15.5
https://www.suse.com/security/cve/CVE-2016-7954.html
SUSE Linux Enterprise Server 15 SP5 rubygem-bundler Not affected SUSE Linux Enterprise Server 15 SP6 rubygem-bundler Not affected
How to reproduce it (as minimally and precisely as possible):
1) Create Dockerfile with this information
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1 ENTRYPOINT [""] CMD ["bash"]
2) Build the image and test
docker build -t "suse15.5_test:v1" ./Dockerfile grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <== Critical Vulnerability generated bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High
Adding distribution $ grype --distro sles:15.5 suse15.5_test:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <===== No change bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
Anything else we need to know?:
Environment:
Output of
grype version: grype 0.76.0OS (e.g:
cat /etc/os-releaseor similar): $ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"