anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.83k stars 573 forks source link

False positive: GHSA-j8r2-6x86-q33q (CVE-2023-32681) python3-requests GHSA-5xp3-jfq3-5q8x (CVE-2021-3572) python3-pip #1984

Open sekveaja opened 4 months ago

sekveaja commented 4 months ago

What happened: Scan on image that has python3-requests-2.25.1-150300.3.6.1.noarch and python3-pip-20.0.2-150400.20.1.noarch installed. It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium

What you expected to happen:

1) According to SUSE Advisory CVE-2023-32681 Patch for this CVE is applied from version python3-requests >= 2.24.0-150300.3.3.1

 See with this link: https://www.suse.com/security/cve/CVE-2023-32681.html

 SUSE Linux Enterprise Server 15 SP4
 python3-requests >= 2.24.0-150300.3.3.1

But package that is installed in the container: **python3-requests-2.25.1-150300.3.6.1**

2) According to SUSE Advisory CVE-2021-3572 Patch for this CVE is applied from version python3-pip >= 20.0.2-150400.15.6

See with this link: https://www.suse.com/security/cve/CVE-2021-3572.html

SUSE Linux Enterprise Server 15 SP4
python3-pip >= 20.0.2-150400.15.6

But package that is installed in the container: **python3-pip-20.0.2-150400.20.1**

To resume:

Installed version in the container: python3-requests-2.25.1-150300.3.6.1.noarch python3-pip-20.0.2-150400.20.1.noarch

SUSE Linux Enterprise Server 15 SP4 minimal requirement for the those CVE. python3-requests >= 2.24.0-150300.3.3.1 python3-pip >= 20.0.2-150400.15.6

Conclusion: Installed version meet the minimal requirement patch from SLES 15.4 but Grype generate vulnerabilities.

How to reproduce it (as minimally and precisely as possible):

1) Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.4 RUN zypper in -y --no-recommends python3-pip=20.0.2-150400.20.1 RUN zypper in -y --no-recommends python3-requests=2.25.1-150300.3.6.1 ENTRYPOINT [""] CMD ["bash"]

2) Build an image from Dockerfile

$ docker build -t "suse15.4_pip_request:v1" .

3) Test with Grype now

$ grype --distro sles:15.4 suse15.4_pip_request:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium py 1.10.0 python GHSA-w596-4wvx-j9j6 High python3 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium python3-base 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium

Environment: $ grype --version grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP4" VERSION_ID="15.4" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"

kzantow commented 2 months ago

Blocked on: https://github.com/anchore/vunnel/issues/626