NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High (CVE-2023-37920)
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med (CVE-2022-23491)
SUSE Linux Enterprise Server 15 SP5
python3-certifi >= 2018.1.18-150000.3.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-certifi-2018.1.18-150000.3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-certifi-2018.1.18-150000.3
Installed version in the container: python3-certifi-2018.1.18-150000.3.3.1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med
What happened: Scan on image that has python3-certifi-2018.1.18-150000.3.3.1.noarch installed. It generates vulnerability:
$ grype --distro sles:15.5 suse15.5_python3-certifi:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High (CVE-2023-37920) certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med (CVE-2022-23491)
JSON Format:
"vulnerability": { "id": "GHSA-43fp-rhv2-5gv8", "dataSource": "https://github.com/advisories/GHSA-43fp-rhv2-5gv8", "namespace": "github:language:python", "severity": "Medium", "urls": [ "https://github.com/advisories/GHSA-43fp-rhv2-5gv8" ], : "relatedVulnerabilities": [ { "id": "CVE-2022-23491", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-23491", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8", "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ" ], : : "artifact": { "id": "dcce5227fb35985c", "name": "certifi", "version": "2018.1.18", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" }, { "path": "/usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/top_level.txt", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" }
What you expected to happen:
According to SUSE Advisory CVE-2022-23491 Patch for this CVE is applied from version python3-certifi >= 2018.1.18-150000.3.3.1
See with this link: https://www.suse.com/security/cve/CVE-2022-23491.html
SUSE Linux Enterprise Server 15 SP5 python3-certifi >= 2018.1.18-150000.3.3.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-certifi-2018.1.18-150000.3
Installed version in the container: python3-certifi-2018.1.18-150000.3.3.1
rpm -qf /usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/PKG-INFO
Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generates vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
1) Create the Dockerfile with this content:
2) Build an image from Dockerfile
$ docker build -t "suse15.5_python3-certifi:v1" .
3) Test with Grype now
$ grype --distro sles:15.5 suse15.5_python3-certifi:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med
Anything else we need to know?:
Related issue that has been closed: https://github.com/anchore/grype/pull/1510 https://github.com/anchore/grype/issues/1172
However, this problem is still present with SUSE Ecosystem. And can be reproduced easily, we are running with Grype 0.78.0, quite a recent version,
Environment:
$ grype --version grype 0.78.0
In container image eco-system: bash-4.4$ cat /etc/release
NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"