Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64.noarch installed.
It generates vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
stringio 0.0.1 3.0.1.1 gem GHSA-v5h6-c2hv-hv3r High
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
stringio 0.0.1 3.0.1.1 gem GHSA-v5h6-c2hv-hv3r High
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
Anything else we need to know?:
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
What happened:
Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64.noarch installed. It generates vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY stringio 0.0.1 3.0.1.1 gem GHSA-v5h6-c2hv-hv3r High webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
JSON format:
"vulnerability": { "id": "GHSA-v5h6-c2hv-hv3r", "dataSource": "https://github.com/advisories/GHSA-v5h6-c2hv-hv3r", "namespace": "github:language:ruby", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-v5h6-c2hv-hv3r" ], "description": "StringIO buffer overread vulnerability", : : "relatedVulnerabilities": [ { "id": "CVE-2024-27280", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27280", "namespace": "nvd:cpe", "severity": "Unknown",
: : "artifact": { "id": "cd8bdb8fd0bf6563", "name": "stringio", "version": "0.0.1", "type": "gem", "locations": [ { "path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/stringio-0.0.1.gemspec",
What you expected to happen:
According to SUSE Advisory on CVE-2024-27280 Ruby and Ruby2.5 is Not affected, therefore, Grype should not generate vulnarability.
See with this link: https://www.suse.com/security/cve/CVE-2024-27280.html
SUSE Linux Enterprise Server 15 SP5 ruby Not affected SUSE Linux Enterprise Server 15 SP5 ruby2.5 Not affected
How to reproduce it (as minimally and precisely as possible):
1) Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends ruby2.5-stdlib=2.5.9-150000.4.29.1 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
$ docker build -t "suse15.5_ruby2.5-stdlib:v1" .
3) Test with Grype now
$ grype --distro sles:15.5 suse15.5_ruby2.5-stdlib:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY stringio 0.0.1 3.0.1.1 gem GHSA-v5h6-c2hv-hv3r High webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
Anything else we need to know?:
Environment: $ grype --version grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"