Scan on image that has python3-Flask-1.0.4-150400.7.64.noarch installed.
It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High
Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium
Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High
Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium
Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
What happened:
Scan on image that has python3-Flask-1.0.4-150400.7.64.noarch installed. It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
JSON format:
"vulnerability": { "id": "GHSA-m2qf-hxjv-5gpq", "dataSource": "https://github.com/advisories/GHSA-m2qf-hxjv-5gpq", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-m2qf-hxjv-5gpq" ], "description": "Flask vulnerable to possible disclosure of permanent session cookie : : "relatedVulnerabilities": [ { "id": "CVE-2023-30861", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b", "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965", "https://github.com/pallets/flask/releases/tag/2.2.5", : : "artifact": { "id": "43f7396ee5913efd", "name": "Flask", "version": "1.0.4", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/Flask-1.0.4-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },
What you expected to happen:
According to SUSE Advisory CVE-2023-30861 Patch for this CVE is applied from version python3-Flask-1.0.4-150400.7.64.noarch
See with this link: https://www.suse.com/security/cve/CVE-2023-30861.html
SUSE Linux Enterprise Server 15 SP5 python3-Flask >= 1.0.4-150400.3.3.1 Patchnames: SUSE-SLE-Module-Basesystem-15-SP5-2023-2263
Installed version in the container: python3-flask-3.3.2-150400.23.1.x86_64
rpm -qf /usr/lib/python3.6/site-packages/Flask-1.0.4-py3.6.egg-info/PKG-INFO
python3-Flask-1.0.4-150400.7.64.noarch
Conclusion: Installed version is more than the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
1) Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-Flask=1.0.4-150400.7.64 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
$ docker build -t "suse15.5_python3-flask:v1" .
3) Test with Grype now
$ grype --distro sles:15.5 suse15.5_python3-flask:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
Environment:
$ grype --version grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"