search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.58k stars 559 forks source link

False positive: GHSA-jphg-qwrw-7w9g (CVE-2020-10663) in SLES 15.5 #1861

Open sekveaja opened 4 months ago

sekveaja commented 4 months ago

Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed. It generates high vulnerability:

"id": "GHSA-jphg-qwrw-7w9g",
"dataSource": "https://github.com/advisories/GHSA-jphg-qwrw-7w9g",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
 "https://github.com/advisories/GHSA-jphg-qwrw-7w9g"
],

: : "relatedVulnerabilities": [ { "id": "CVE-2020-10663", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-10663", "namespace": "nvd:cpe", "severity": "High", "urls": [ : "artifact": { "id": "145d80db7bf23deb", "name": "json", "version": "2.1.0", "type": "gem", "locations": [ { "path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/json-2.1.0.gemspec", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" } ],

What you expected to happen:

According to SUSE Advisory:

https://www.suse.com/security/cve/CVE-2020-10663.html

SUSE Linux Enterprise Server 15 SP5 libruby2_5-2_5 >= 2.5.8-4.11.1 ruby2.5 >= 2.5.8-4.11.1 ruby2.5-devel >= 2.5.8-4.11.1 ruby2.5-devel-extra >= 2.5.8-4.11.1 ruby2.5-stdlib >= 2.5.8-4.11.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libruby2_5-2_5-2.5.9-150000.4.26.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA ruby2.5-2.5.9-150000.4.26.1

The version that is installed is > 2.5.8-4.11.1

rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/default/json-2.1.0.gemspec

ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 9bd66b5cfa32:/ #

There should be no vulnerability generate if we follow SUSE requirement and SUSE Advisory.

How to reproduce it (as minimally and precisely as possible):

1) Create Dockerfile with this information FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1 ENTRYPOINT [""] CMD ["bash"]

2) Build the image and test docker build -t "suse15.5_test:v1" . grype suse15.5_test:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY

json 2.1.0 2.3.0 gem GHSA-jphg-qwrw-7w9g High

Anything else we need to know?:

This one is slightly different from https://github.com/anchore/grype/issues/1807 Here we have json 2.1.0 and easier to reproduce as it is from the OS level.

Environment:

Output of grype version: grype 0.76.0

OS (e.g: cat /etc/os-release or similar): $ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"