SUSE Linux Enterprise Server 15 SP5
python3-Pygments >= 2.6.1-4.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-Pygments-2.6.1-4.3.1
Installed version in the container:
rpm -qa | grep python
python3-Pygments-2.6.1-4.3.1.noarch
Conclusion: Installed version meet minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
Therefore, it is a false positive.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-Pygments=2.6.1-4.3.1
ENTRYPOINT [""]
CMD ["bash"]
2) Build an image from Dockerfile
docker build -t "suse15.5_test:v1" .
docker run -it suse15.5_test:v1 bash
What happened: Scan on image that has python3-Pygments-2.6.1-4.3.1.noarch installed. It generates high vulnerability:
{ "vulnerability": { "id": "GHSA-9w8r-397f-prfh", "dataSource": "https://github.com/advisories/GHSA-9w8r-397f-prfh", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-9w8r-397f-prfh" ],
: : "relatedVulnerabilities": [ { "id": "CVE-2021-20270", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-20270", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1922136", "https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html", "https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html", "https://www.debian.org/security/2021/dsa-4889", "https://www.oracle.com/security-alerts/cpuoct2021.html" ], "description": "An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the \"exception\" keyword.",
: :
"artifact": { "id": "bce8ec0e0a965ed7", "name": "Pygments", "version": "2.6.1", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/Pygments-2.6.1-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },
"cvss": [
What you expected to happen:
According to SUSE Advisory: https://www.suse.com/security/cve/CVE-2021-20270.html
SUSE Linux Enterprise Server 15 SP5 python3-Pygments >= 2.6.1-4.3.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-Pygments-2.6.1-4.3.1
Installed version in the container:
rpm -qa | grep python
python3-Pygments-2.6.1-4.3.1.noarch
Conclusion: Installed version meet minimum requirement patch from SLES 15.5 but Grype generate a vulnerability. Therefore, it is a false positive.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-Pygments=2.6.1-4.3.1 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
docker build -t "suse15.5_test:v1" . docker run -it suse15.5_test:v1 bash
e22c80017ab7:/ # rpm -qa | grep -i pygment python3-Pygments-2.6.1-4.3.1.noarch
3) Test with Grype
$ grype --distro sles15.5 suse15.5_python-pygment:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Pygments 2.6.1 2.7.4 python GHSA-pq64-v7f5-gqh8 High
Pygments 2.6.1 2.7.4 python GHSA-9w8r-397f-prfh High
Pygments 2.6.1 2.15.0 python GHSA-mrwq-x4v8-fh7p Medium
Anything else we need to know?:
Environment: $ grype --version grype 0.76.0
In container image eco-system: bash-4.4$ cat /etc/release
NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"