Scan on image that has python3-rsa-3.4.2-150000.3.7.1.noarch installed.
It generates high vulnerability:
What you expected to happen:
In SLES 15.5 context, this CVE has fixed from version python3-rsa >= 3.4.2-3.4.1
SUSE Linux Enterprise Server 15 SP5
python3-rsa >= 3.4.2-3.4.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-rsa-3.4.2-150000.3.7.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-rsa-3.4.2-150000.3.7.1
The installed version is python3-rsa-3.4.2-150000.3.7.1.noarch which meet SLES 15.5 requirement.
Grype may not look into that level therefore generate false positive.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-rsa=3.4.2-150000.3.7.1
ENTRYPOINT [""]
CMD ["bash"]
2) Build an image from Dockerfile
docker build . -t "suse15.5_test:v1"
3) Test with Grype now
grype --distro sles15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
rsa 3.4.2 4.1 python GHSA-537h-rv9q-vvph High
Anything else we need to know?:
Environment:
$ grype --version
grype 0.76.0
Container Eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
What happened:
Scan on image that has python3-rsa-3.4.2-150000.3.7.1.noarch installed. It generates high vulnerability:
What you expected to happen:
In SLES 15.5 context, this CVE has fixed from version python3-rsa >= 3.4.2-3.4.1
SUSE Linux Enterprise Server 15 SP5 python3-rsa >= 3.4.2-3.4.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-rsa-3.4.2-150000.3.7.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-rsa-3.4.2-150000.3.7.1
The installed version is python3-rsa-3.4.2-150000.3.7.1.noarch which meet SLES 15.5 requirement. Grype may not look into that level therefore generate false positive.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-rsa=3.4.2-150000.3.7.1 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
docker build . -t "suse15.5_test:v1"
3) Test with Grype now grype --distro sles15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY rsa 3.4.2 4.1 python GHSA-537h-rv9q-vvph High
Anything else we need to know?:
Environment:
$ grype --version grype 0.76.0
Container Eco-system: bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"