search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.15k stars 528 forks source link

False positive: GHSA-v3c5-jqr6-7qm8 (CVE-2022-40899) in SLES 15.5 Ecosystem #1927

Open sekveaja opened 3 weeks ago

sekveaja commented 3 weeks ago

What happened:

Scan on image that has python3-future-0.18.2-150300.3.3.1.noarch installed. It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY future 0.18.2 0.18.3 python GHSA-v3c5-jqr6-7qm8 High

JSON format:

"vulnerability": { "id": "GHSA-v3c5-jqr6-7qm8", "dataSource": "https://github.com/advisories/GHSA-v3c5-jqr6-7qm8", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-v3c5-jqr6-7qm8" ], "description": "Python Charmers Future denial of service vulnerability", : : "relatedVulnerabilities": [ { "id": "CVE-2022-40899", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40899", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215", "https://github.com/PythonCharmers/python-future/pull/610", : : "artifact": { "id": "25b50c4162f46bbe", "name": "future", "version": "0.18.2", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/future-0.18.2-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },

What you expected to happen:

According to SUSE Advisory CVE-2022-40899 Patch for this CVE is applied from version python3-future-0.18.2-150300.3.3.1

See with this link: https://www.suse.com/security/cve/CVE-2022-40899.html

SUSE Linux Enterprise Server 15 SP5 python3-future >= 0.18.2-150300.3.3.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-future-0.18.2-150300.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-future-0.18.2-150300.3.3.1

rpm -qf /usr/lib/python3.6/site-packages/future-0.18.2-py3.6.egg-info/PKG-INFO

python3-future-0.18.2-150300.3.3.1.noarch

Installed version in the container: python3-future-0.18.2-150300.3.3.1.noarch

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

1) Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-future=0.18.2-150300.3.3.1 ENTRYPOINT [""] CMD ["bash"]

2) Build an image from Dockerfile

$ docker build -t "suse15.5_python3-future:v1" .

3) Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-future:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY future 0.18.2 0.18.3 python GHSA-v3c5-jqr6-7qm8 Hig

Environment: $ grype --version grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"