What happened:
Scan on image that has python3-requests-2.25.1-150300.3.6.1.noarch and python3-pip-20.0.2-150400.20.1.noarch installed.
It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium
pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium
What you expected to happen:
1) According to SUSE Advisory CVE-2023-32681
Patch for this CVE is applied from version python3-requests >= 2.24.0-150300.3.3.1
See with this link: https://www.suse.com/security/cve/CVE-2023-32681.html
SUSE Linux Enterprise Server 15 SP4
python3-requests >= 2.24.0-150300.3.3.1
But package that is installed in the container: **python3-requests-2.25.1-150300.3.6.1**
2) According to SUSE Advisory CVE-2021-3572
Patch for this CVE is applied from version python3-pip >= 20.0.2-150400.15.6
See with this link: https://www.suse.com/security/cve/CVE-2021-3572.html
SUSE Linux Enterprise Server 15 SP4
python3-pip >= 20.0.2-150400.15.6
But package that is installed in the container: **python3-pip-20.0.2-150400.20.1**
To resume:
Installed version in the container:
python3-requests-2.25.1-150300.3.6.1.noarch
python3-pip-20.0.2-150400.20.1.noarch
SUSE Linux Enterprise Server 15 SP4 minimal requirement for the those CVE.
python3-requests >= 2.24.0-150300.3.3.1
python3-pip >= 20.0.2-150400.15.6
Conclusion: Installed version meet the minimal requirement patch from SLES 15.4 but Grype generate vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
1) Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.4
RUN zypper in -y --no-recommends python3-pip=20.0.2-150400.20.1
RUN zypper in -y --no-recommends python3-requests=2.25.1-150300.3.6.1
ENTRYPOINT [""]
CMD ["bash"]
What happened: Scan on image that has python3-requests-2.25.1-150300.3.6.1.noarch and python3-pip-20.0.2-150400.20.1.noarch installed. It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium
What you expected to happen:
1) According to SUSE Advisory CVE-2023-32681 Patch for this CVE is applied from version python3-requests >= 2.24.0-150300.3.3.1
2) According to SUSE Advisory CVE-2021-3572 Patch for this CVE is applied from version python3-pip >= 20.0.2-150400.15.6
To resume:
Installed version in the container: python3-requests-2.25.1-150300.3.6.1.noarch python3-pip-20.0.2-150400.20.1.noarch
SUSE Linux Enterprise Server 15 SP4 minimal requirement for the those CVE. python3-requests >= 2.24.0-150300.3.3.1 python3-pip >= 20.0.2-150400.15.6
Conclusion: Installed version meet the minimal requirement patch from SLES 15.4 but Grype generate vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
1) Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.4 RUN zypper in -y --no-recommends python3-pip=20.0.2-150400.20.1 RUN zypper in -y --no-recommends python3-requests=2.25.1-150300.3.6.1 ENTRYPOINT [""] CMD ["bash"]
2) Build an image from Dockerfile
$ docker build -t "suse15.4_pip_request:v1" .
3) Test with Grype now
$ grype --distro sles:15.4 suse15.4_pip_request:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium py 1.10.0 python GHSA-w596-4wvx-j9j6 High python3 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium python3-base 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium
Environment: $ grype --version grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP4" VERSION_ID="15.4" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"