tgerla
commented
4 weeks ago Hi @sekveaja, thank you for all of these false positive reports, please keep them coming and sorry we haven't followed up yet. We are looking into them. Stay tuned!
Open sekveaja opened 1 month ago
tgerla
commented
4 weeks ago Hi @sekveaja, thank you for all of these false positive reports, please keep them coming and sorry we haven't followed up yet. We are looking into them. Stay tuned!
sekveaja
commented
4 weeks ago Hi @tgerla, No problem, now that we find a way to reproduce issue with public domain. It is much easier for you to look into it. And yes, there are more to come. Thanks!!
tgerla
commented
3 weeks ago Hey @sekveaja, thanks for your patience on these. I think we have figured out the root cause for a lot of these. We are currently only using a subset of the available SUSE vulnerability data, which means that Grype is unable to de-duplicate some packages and will report two findings for a single package, as you have seen. #1918 will track the work to fix this. We think that SUSE publishes the data we need, so we will need to enhance the SUSE Vunnel provider which parses the vulnerability data.
I'll link your other false positives in this category here so that we can track them. Thanks!
sekveaja
commented
3 weeks ago Hi @tgerla,
Thanks for the input, I hope that you will nail down the issue. In the mean time, I continue to report other FP relate to SUSE. Thanks!
What happened:
Scan on image that has python3-Babel-2.8.0-3.3.1.noarch installed. It generates high vulnerability:
$ grype --distro sles:15.5 suse15.5_python3-babel:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Babel 2.8.0 2.9.1 python GHSA-h4m5-qpfp-3mpv High
"vulnerability": { "id": "GHSA-h4m5-qpfp-3mpv", "dataSource": "https://github.com/advisories/GHSA-h4m5-qpfp-3mpv", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-h4m5-qpfp-3mpv" ], "description": "Directory Traversal in Babel", : : "relatedVulnerabilities": [ { "id": "CVE-2021-42771", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42771", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/python-babel/babel/pull/782", GHSA-h4m5-qpfp-3mpv "https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html", "https://lists.debian.org/debian-lts/2021/10/msg00040.html", "https://www.debian.org/security/2021/dsa-5018", "https://www.tenable.com/security/research/tra-2021-14" ], "description": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.", :
"artifact": { "id": "c5753955ec6c50e3", "name": "Babel", "version": "2.8.0", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/Babel-2.8.0-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },
What you expected to happen:
According to SUSE Advisory CVE-2021-42771 Patch for this CVE is applied from version python3-Babel >= 2.8.0-3.3.1.
https://www.suse.com/security/cve/CVE-2021-42771.html SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5 python3-Babel >= 2.8.0-3.3.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-Babel-2.8.0-3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-Babel-2.8.0-3.3.1
Installed version in the container: python3-Babel-2.8.0-3.3.1.noarch
rpm -qf /usr/lib/python3.6/site-packages/Babel-2.8.0-py3.6.egg-info/PKG-INFO
python3-Babel-2.8.0-3.3.1.noarch
Conclusion: Installed version meet the minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-babel=2.8.0-3.3.1 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
docker build -t "suse15.5_python3-babel:v1" .
3) Test with Grype now
$ grype --distro sles:15.5 suse15.5_python3-babel:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Babel 2.8.0 2.9.1 python GHSA-h4m5-qpfp-3mpv High
Environment: $ grype --version grype 0.76.0
In container image eco-system: bash-4.4$ cat /etc/release
NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"