search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.17k stars 528 forks source link

False positive: GHSA-7527-8855-9cf8 (CVE-2022-2255) apache2-mod_wsgi in SLES 15.5 #1906

Open sekveaja opened 1 month ago

sekveaja commented 1 month ago

What happened:

Scan on image that has apache2-mod_wsgi-4.7.1-150400.3.9.4.x86_64 installed. It generates high vulnerability:

$ grype --distro sles:15.5 suse15.5_apache2-mod_wsgi:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY mod-wsgi 4.7.1 4.9.3 python GHSA-7527-8855-9cf8 High

JSON format:

"vulnerability": { "id": "GHSA-7527-8855-9cf8", "dataSource": "https://github.com/advisories/GHSA-7527-8855-9cf8", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-7527-8855-9cf8" ], "description": "Incorrect header handling in mod-wsgi", : : "relatedVulnerabilities": [ { "id": "CVE-2022-2255", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941", : : "artifact": { "id": "94262fb26b41b74e", "name": "mod-wsgi", "version": "4.7.1", "type": "python", "locations": [ { "path": "/usr/lib64/python3.6/site-packages/mod_wsgi-4.7.1-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"

What you expected to happen:

According to SUSE Advisory CVE-2022-2255 Patch for this CVE is applied from version apache2-mod_wsgi >= 4.7.1-150400.3.3.1

https://www.suse.com/security/cve/CVE-2022-2255.html

    SUSE Linux Enterprise Server 15 SP5

    apache2-mod_wsgi >= 4.7.1-150400.3.3.1
    apache2-mod_wsgi-python3 >= 4.5.18-150000.4.6.1
    Patchnames:
    SUSE Linux Enterprise Module for Public Cloud 15 SP5 GA apache2-mod_wsgi-4.7.1-150400.3.3.1
    SUSE Linux Enterprise Module for Server Applications 15 SP5 GA apache2-mod_wsgi-python3-4.5.18-150000.4.6.1

Installed version in the container: apache2-mod_wsgi-4.7.1-150400.3.9.4.x86_64

rpm -qf /usr/lib64/python3.6/site-packages/mod_wsgi-4.7.1-py3.6.egg-info/PKG-INFO

apache2-mod_wsgi-4.7.1-150400.3.9.4.x86_64

Conclusion: Installed version is greater than minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

1)Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends apache2-mod_wsgi=4.7.1-150400.3.9.4 ENTRYPOINT [""] CMD ["bash"]

2) Build an image from Dockerfile

$ docker build -t "suse15.5_apache2-mod_wsgi:v1" .

3) Test with Grype now

$ grype --distro sles:15.5 suse15.5_apache2-mod_wsgi:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY mod-wsgi 4.7.1 4.9.3 python GHSA-7527-8855-9cf8 High

Environment:

$ grype --version grype 0.78.0

In container image eco-system: bash-4.4$ cat /etc/release

NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"