False positive: GHSA-x4qr-2fvf-3mr5 (CVE-2023-0286), GHSA-jfhm-5ghh-2f97 (CVE-2023-49083) in SLES 15.5 Ecosystem but trigger by cryptography

What happened:

Scan on image that has python3-cryptography-3.3.2-150400.23.1.x86_64 installed. It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY cryptography 3.3.2 39.0.1 python GHSA-x4qr-2fvf-3mr5 High cryptography 3.3.2 42.0.0 python GHSA-3ww4-gg4f-jr7f High cryptography 3.3.2 39.0.1 python GHSA-w7pp-m8wf-vj6r Medium cryptography 3.3.2 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium cryptography 3.3.2 42.0.2 python GHSA-9v9h-cgj8-h64p Medium cryptography 3.3.2 41.0.4 python GHSA-v8gr-m533-ghj9 Low cryptography 3.3.2 41.0.3 python GHSA-jm77-qphf-c4w8 Low cryptography 3.3.2 41.0.0 python GHSA-5cpq-8wj7-hf2v Low

JSON format:

"vulnerability": { "id": "GHSA-x4qr-2fvf-3mr5", "dataSource": "https://github.com/advisories/GHSA-x4qr-2fvf-3mr5", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-x4qr-2fvf-3mr5" ], "description": "Vulnerable OpenSSL included in cryptography wheels", : : "relatedVulnerabilities": [ { "id": "CVE-2023-0286", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", : : "artifact": { "id": "38aca2c4012b270d", "name": "cryptography", "version": "3.3.2", "type": "python", "locations": [ { "path": "/usr/lib64/python3.6/site-packages/cryptography-3.3.2-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },

What you expected to happen:

According to SUSE Advisory CVE-2023-0286 Patch for this CVE is already fixed.

See with this link: https://www.suse.com/security/cve/CVE-2023-0286.html

SUSE Linux Enterprise Server 15 SP5 openssl Not affected SUSE Linux Enterprise Server 15 SP5 openssl-1_0_0 Released SUSE Linux Enterprise Server 15 SP5 openssl-1_1 Already fixed SUSE Linux Enterprise Server 15 SP5 openssl-3 Already fixed

Conclusion: Issue with CVE-2023-0286 is related to Openssl according to NVD. As for SUSE advisory, this CVE is already fixed. Grype is pointing to an artifact that is related to cryptography where cryptography may include an older version of Openssl. There is something that Grype doesn't take account in this case, the dependency. Cryptography requires Openssl but most OS provider is already patched, upgraded, fixed in their newest release or minor release. It is good to flag, however, it is definitely a false positive for an ecosystem that already has the fixes of Openssl.

How to reproduce it (as minimally and precisely as possible):

1) Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-cryptography=3.3.2-150400.23.1.x86_64 ENTRYPOINT [""] CMD ["bash"]

2) Build an image from Dockerfile

$ docker build -t "suse15.5_python3-cryptography:v1" .

3) Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-cryptography:v1

Environment: $ grype --version grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"

anchore / grype

False positive: GHSA-x4qr-2fvf-3mr5 (CVE-2023-0286), GHSA-jfhm-5ghh-2f97 (CVE-2023-49083) in SLES 15.5 Ecosystem but trigger by cryptography #1935

JSON format:

In container image eco-system: