search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.47k stars 549 forks source link

False positive: GHSA-g3rq-g295-4j3m (CVE-2020-28493) python3-Jinja2 in SLES 15.5 Ecosystem #1988

Open sekveaja opened 2 months ago

sekveaja commented 2 months ago

What happened: Scan on image that has python3-Jinja2-2.10.1-3.10.2.noarch installed. It generates vulnerabilities:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium Jinja2 2.10.1 2.11.3 python GHSA-g3rq-g295-4j3m Medium

What you expected to happen:

According to SUSE Advisory CVE-2020-28493 Patch for this CVE is applied from version python3-Jinja2-2.10.1-3.10.2

See with this link: https://www.suse.com/security/cve/CVE-2020-28493.html

 SUSE Linux Enterprise Server 15 SP5
 python3-Jinja2 >= 2.10.1-3.10.2
 Patchnames:
 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-Jinja2-2.10.1-3.10.2

Installed version in the container: python3-Jinja2-2.10.1-3.10.2.noarch

  # rpm -qf /usr/lib/python3.6/site-packages/Jinja2-2.10.1-py3.6.egg-info/PKG-INFO
  python3-Jinja2-2.10.1-3.10.2.noarch

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate vulnerabilities.

How to reproduce it (as minimally and precisely as possible):

1) Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5 ADD https://rpmfind.net/linux/opensuse/distribution/leap/15.5/repo/oss/noarch/python3-Jinja2-2.10.1-3.10.2.noarch.rpm /tmp RUN zypper in -y --no-recommends /tmp/python3-Jinja2-2.10.1-3.10.2.noarch.rpm

ENTRYPOINT [""] CMD ["bash"]

2) Build an image from Dockerfile

$ docker build -t "suse15.5_python3-jinja:v1" .

3) Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-jinja:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium Jinja2 2.10.1 2.11.3 python GHSA-g3rq-g295-4j3m Medium

Environment: $ grype --version grype 0.78.0

In container image eco-system: bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"

willmurphyscode commented 1 month ago

Hi @sekveaja this will be fixed by https://github.com/anchore/vunnel/issues/626

sekveaja commented 1 month ago

Thanks @willmurphyscode for the update. Would you know what is the estimated timeframe that will be implemented.