What happened:
Scan on image that has python3-neutron-17.1.3.dev3-1000.R12A04.noarch installed.
It generates vulnerabilities:
$ grype --distro sles:15.5 | grep neutron
neutron 17.1.3.dev3 17.1.3 python GHSA-hvm4-mc7m-22w4 High
neutron 17.1.3.dev3 17.2.1 python GHSA-fh73-gjvg-349c High
neutron 17.1.3.dev3 17.2.1 python GHSA-cpx3-696p-3cw9 High
neutron 17.1.3.dev3 2014.2.4 python GHSA-wf44-4mgj-rwvx Medium <==
neutron 17.1.3.dev3 18.6.0 python GHSA-w446-h7vg-wv3p Medium
neutron 17.1.3.dev3 python GHSA-r3jh-qhgj-gvr8 Medium
What you expected to happen:
OpenStack changed versioning system between Kilo and Liberty in 2015. Up to Kilo they used the year as a base resulting in 20xx.x.x versions. From Liberty they started to use semantic versioning in every project.
This resulted lower version numbers for the newer projects that the tools cannot handle now.
e.g. Neutron became 7.0.0 in Liberty after the 2015.1.4 Kilo version
OS (e.g: cat /etc/os-release or similar):
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
What happened: Scan on image that has python3-neutron-17.1.3.dev3-1000.R12A04.noarch installed. It generates vulnerabilities:
$ grype --distro sles:15.5 | grep neutron
neutron 17.1.3.dev3 17.1.3 python GHSA-hvm4-mc7m-22w4 High neutron 17.1.3.dev3 17.2.1 python GHSA-fh73-gjvg-349c High neutron 17.1.3.dev3 17.2.1 python GHSA-cpx3-696p-3cw9 High neutron 17.1.3.dev3 2014.2.4 python GHSA-wf44-4mgj-rwvx Medium <== neutron 17.1.3.dev3 18.6.0 python GHSA-w446-h7vg-wv3p Medium neutron 17.1.3.dev3 python GHSA-r3jh-qhgj-gvr8 Medium
What you expected to happen: OpenStack changed versioning system between Kilo and Liberty in 2015. Up to Kilo they used the year as a base resulting in 20xx.x.x versions. From Liberty they started to use semantic versioning in every project. This resulted lower version numbers for the newer projects that the tools cannot handle now. e.g. Neutron became 7.0.0 in Liberty after the 2015.1.4 Kilo version
https://releases.openstack.org/liberty/index.html https://releases.openstack.org/kilo/index.html
How to reproduce it (as minimally and precisely as possible): -->
Download the tar file from the pubic repo https://tarballs.opendev.org/openstack/ artifact we can try scanning $ wget https://tarballs.opendev.org/openstack/neutron/neutron-17.3.0.tar.gz
Scan the the tar file $ grype neutron-17.3.0.tar.gz ✔ Indexed file system /tmp/syft-archive-contents-3540691396 ✔ Cataloged contents 4511349c568d80f9839f9422ec75a7e660e974cbc52f892ea7b095dba294e3f8 ├── ✔ Packages [5 packages] ├── ✔ File digests [3 files] ├── ✔ File metadata [3 locations] └── ✔ Executables [0 executables] ✔ Scanned for vulnerabilities [3 vulnerability matches] ├── by severity: 0 critical, 0 high, 3 medium, 0 low, 0 negligible └── by status: 2 fixed, 1 not-fixed, 0 ignored NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY neutron 17.3.0 2014.2.4 python GHSA-wf44-4mgj-rwvx Medium (FP reproduced) neutron 17.3.0 18.6.0 python GHSA-w446-h7vg-wv3p Medium neutron 17.3.0 python GHSA-r3jh-qhgj-gvr8 Medium
Environment:
Output of grype version: Application: grype Version: 0.83.0 BuildDate: 2024-10-31T00:04:47Z GitCommit: https://github.com/anchore/grype/commit/0602464ebc9f3c417b1175b3e104b19a006604b7 GitDescription: v0.83.0 Platform: linux/amd64
OS (e.g: cat /etc/os-release or similar): NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"