Conclusion: Installed version exceed minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
Therefore, it is a false positive when looking at SUSE eco-system.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-rsa=3.4.2-150000.3.7.1
ENTRYPOINT [""]
CMD ["bash"]
2) Build an image from Dockerfile
docker build -t "suse15.5_test:v1" .
3) Test with Grype now
$ grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
Anything else we need to know?:
Environment:
$ grype --version
grype 0.76.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
What happened:
Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed. It generates high vulnerability:
{ "vulnerability": { "id": "GHSA-gwfg-cqmg-cf8f", "dataSource": "https://github.com/advisories/GHSA-gwfg-cqmg-cf8f", "namespace": "github:language:ruby", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-gwfg-cqmg-cf8f" ], "description": "WEBRick vulnerable to HTTP Request/Response Smuggling", "cvss": [
: : "relatedVulnerabilities": [ { "id": "CVE-2020-25613", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-25613", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7", "https://hackerone.com/reports/965267", "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html", : :
"artifact": { "id": "a88dab384401d5db", "name": "webrick", "version": "1.4.2.1", "type": "gem", "locations": [ { "path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/webrick-1.4.2.1.gemspec", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" }
What you expected to happen:
Look into SUSE Advisory CVE-2020-25613
SUSE Linux Enterprise Server 15 SP5
libruby2_5-2_5 >= 2.5.8-4.14.1 ruby2.5 >= 2.5.8-4.14.1 ruby2.5-devel >= 2.5.8-4.14.1 ruby2.5-devel-extra >= 2.5.8-4.14.1 ruby2.5-stdlib >= 2.5.8-4.14.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libruby2_5-2_5-2.5.9-150000.4.26.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA ruby2.5-2.5.9-150000.4.26.1
Installed version in the container is
rpm -qa | grep ruby2
libruby2_5-2_5-2.5.9-150000.4.29.1.x86_64 ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 ruby2.5-rubygem-gem2rpm-0.10.1-3.45.x86_64 ruby2.5-2.5.9-150000.4.29.1.x86_64 ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
Conclusion: Installed version exceed minimum requirement patch from SLES 15.5 but Grype generate a vulnerability. Therefore, it is a false positive when looking at SUSE eco-system.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-rsa=3.4.2-150000.3.7.1 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
docker build -t "suse15.5_test:v1" .
3) Test with Grype now $ grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
$ grype --distro sles:15.5 suse15.5_test:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
Anything else we need to know?:
Environment:
$ grype --version grype 0.76.0
In container image eco-system:
bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"