False positive: SUSE-SU-2022:2260-1 and SUSE-SU-2022:3795-1 have wrong Fixed Version

[vasiliy-ul]

Checklist

• [x] I've read the documentation regarding wrong detection.
• [x] I've confirmed that a security advisory in data sources was correct.
  • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

Trivy reports wrong Fixed Version for qemu-ipxe, qemu-seabios and qemu-vgabios:

┌───────────────────────┬─────────────────────┬──────────┬─────────────────────────────────┬─────────────────────┬───────────────────────────────────────────┐
│        Library        │    Vulnerability    │ Severity │        Installed Version        │    Fixed Version    │                   Title                   │
├───────────────────────┼─────────────────────┼──────────┼─────────────────────────────────┼─────────────────────┼───────────────────────────────────────────┤
...
├───────────────────────┼─────────────────────┼──────────┼─────────────────────────────────┼─────────────────────┼───────────────────────────────────────────┤
│ qemu-ipxe             │ SUSE-SU-2022:2260-1 │ HIGH     │ 1.0.0+-150400.37.8.2            │ 6.2.0-150400.37.5.3 │ Security update for qemu                  │
│                       ├─────────────────────┼──────────┤                                 ├─────────────────────┤                                           │
│                       │ SUSE-SU-2022:3795-1 │ MEDIUM   │                                 │ 6.2.0-150400.37.8.2 │                                           │
├───────────────────────┼─────────────────────┼──────────┼─────────────────────────────────┼─────────────────────┤                                           │
│ qemu-seabios          │ SUSE-SU-2022:2260-1 │ HIGH     │ 1.15.0_0_g2dd4b9b-150400.37.8.2 │ 6.2.0-150400.37.5.3 │                                           │
│                       ├─────────────────────┼──────────┤                                 ├─────────────────────┤                                           │
│                       │ SUSE-SU-2022:3795-1 │ MEDIUM   │                                 │ 6.2.0-150400.37.8.2 │                                           │
├───────────────────────┼─────────────────────┼──────────┤                                 ├─────────────────────┤                                           │
│ qemu-vgabios          │ SUSE-SU-2022:2260-1 │ HIGH     │                                 │ 6.2.0-150400.37.5.3 │                                           │
│                       ├─────────────────────┼──────────┤                                 ├─────────────────────┤                                           │
│                       │ SUSE-SU-2022:3795-1 │ MEDIUM   │                                 │ 6.2.0-150400.37.8.2 │                                           │
└───────────────────────┴─────────────────────┴──────────┴─────────────────────────────────┴─────────────────────┴───────────────────────────────────────────┘

The Fixed Version suggested by Trivy 6.2.0-150400.37.5.3 seems to be taken from the main package qemu. Though the subpackages qemu-ipxe, qemu-seabios and qemu-vgabios have a different versioning scheme.

The CVRF data (cvrf-suse-su-2022_2260-1.xml and cvrf-suse-su-2022_3795-1.xml) suggests the correct versioning:

qemu-ipxe-1.0.0+-150400.37.5.3
qemu-seabios-1.15.0_0_g2dd4b9b-150400.37.5.3
qemu-vgabios-1.15.0_0_g2dd4b9b-150400.37.5.3

JSON Output of run with -debug:

$ trivy image -f json --debug --security-checks vuln registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0-150400.3.5.1 
2022-11-17T07:25:51.175+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-11-17T07:25:51.188+0100    DEBUG   cache dir:  /home/vulyanov/.cache/trivy
2022-11-17T07:25:51.188+0100    DEBUG   DB update was skipped because the local DB is the latest
2022-11-17T07:25:51.188+0100    DEBUG   DB Schema: 2, UpdatedAt: 2022-11-17 06:10:17.802062282 +0000 UTC, NextUpdate: 2022-11-17 12:10:17.802061982 +0000 UTC, DownloadedAt: 2022-11-17 06:24:00.211015865 +0000 UTC
2022-11-17T07:25:51.188+0100    INFO    Vulnerability scanning is enabled
2022-11-17T07:25:51.188+0100    DEBUG   Vulnerability type:  [os library]
2022-11-17T07:25:51.194+0100    DEBUG   Image ID: sha256:1a415f255f5928ca90b82d584a44fbb40aca40427548b4f49c4aa59996eb5a77
2022-11-17T07:25:51.194+0100    DEBUG   Diff IDs: [sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541]
2022-11-17T07:25:51.194+0100    DEBUG   Base Layers: []
2022-11-17T07:25:51.218+0100    INFO    Detected OS: suse linux enterprise server
2022-11-17T07:25:51.218+0100    INFO    Detecting SUSE vulnerabilities...
2022-11-17T07:25:51.218+0100    DEBUG   SUSE: os version: 15.4
2022-11-17T07:25:51.218+0100    DEBUG   SUSE: the number of packages: 340
2022-11-17T07:25:51.224+0100    INFO    Number of language-specific files: 0

{
  "SchemaVersion": 2,
  "ArtifactName": "registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0-150400.3.5.1",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "suse linux enterprise server",
      "Name": "15.4"
    },
    "ImageID": "sha256:1a415f255f5928ca90b82d584a44fbb40aca40427548b4f49c4aa59996eb5a77",
    "DiffIDs": [
      "sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d",
      "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
    ],
    "RepoTags": [
      "registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0-150400.3.5.1"
    ],
    "RepoDigests": [
      "registry.suse.com/suse/sles/15.4/virt-launcher@sha256:d900835bcf89e315c9345a860791ceecb13eeb9009d8bc8af538dbca41fd0cb4"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "container": "c018d11644fc2f9db22d76798f21f5e48b41cc0603c3c59b4ed052b712015975",
      "created": "2022-10-31T09:20:25.111348786Z",
      "docker_version": "20.10.17-ce",
      "history": [
        {
          "created": "2022-10-17T19:26:09Z",
          "created_by": "KIWI 9.24.36"
        },
        {
          "created": "2022-10-31T09:19:03Z",
          "created_by": "/bin/sh -c #(nop) COPY file:999c5558f3a017f19c35315006d56ea6bd8ca86b3e65e12b25a248f10a8e9324 in /usr/local/sbin/obs-docker-support "
        },
        {
          "created": "2022-10-31T09:19:05Z",
          "created_by": "/bin/sh -c obs-docker-support --install"
        },
        {
          "created": "2022-10-31T09:19:05Z",
          "created_by": "/bin/sh -c #(nop)  LABEL com.suse.kubevirt.title=kubevirt virt-launcher container",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:05Z",
          "created_by": "/bin/sh -c #(nop)  LABEL org.opencontainers.image.title=kubevirt virt-launcher container",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:05Z",
          "created_by": "/bin/sh -c #(nop)  LABEL com.suse.kubevirt.description=Container to host VM processes for kubevirt",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:05Z",
          "created_by": "/bin/sh -c #(nop)  LABEL org.opencontainers.image.description=Container to host VM processes for kubevirt",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:05Z",
          "created_by": "/bin/sh -c #(nop)  LABEL com.suse.kubevirt.created=2022-10-31T09:18:56.224795382Z",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:06Z",
          "created_by": "/bin/sh -c #(nop)  LABEL org.opencontainers.image.created=2022-10-31T09:18:56.224795382Z",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:06Z",
          "created_by": "/bin/sh -c #(nop)  LABEL com.suse.kubevirt.version=0.54.0.16.5.2",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:06Z",
          "created_by": "/bin/sh -c #(nop)  LABEL org.opencontainers.image.version=0.54.0.16.5.2",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:06Z",
          "created_by": "/bin/sh -c #(nop)  LABEL com.suse.kubevirt.disturl=obs://build.suse.de/SUSE:Maintenance:26632/containerfile/641d484a746b4d4905fcb6697eb16c5d-virt-launcher-container.SUSE_SLE-15-SP4_Update",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:06Z",
          "created_by": "/bin/sh -c #(nop)  LABEL org.openbuildservice.disturl=obs://build.suse.de/SUSE:Maintenance:26632/containerfile/641d484a746b4d4905fcb6697eb16c5d-virt-launcher-container.SUSE_SLE-15-SP4_Update",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:06Z",
          "created_by": "/bin/sh -c #(nop)  LABEL com.suse.kubevirt.reference=registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0.16.5.2",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:19:06Z",
          "created_by": "/bin/sh -c #(nop)  LABEL org.opensuse.reference=registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0.16.5.2",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:20:09Z",
          "created_by": "/bin/sh -c zypper -n install               augeas               augeas-lenses               ethtool               gawk               iptables               kubevirt-container-disk               kubevirt-virt-launcher               libcap-progs               libvirt-client               libvirt-daemon-qemu               nftables               qemu-hw-usb-redirect               qemu-tools               qemu-x86               socat               tar               timezone               vim-small               xorriso \u0026\u0026     zypper clean -a \u0026\u0026     mkdir -p /usr/share/kubevirt/virt-launcher"
        },
        {
          "created": "2022-10-31T09:20:10Z",
          "created_by": "/bin/sh -c mkdir -p /usr/share/OVMF \u0026\u0026     ln -s ../qemu/ovmf-x86_64-code.bin /usr/share/OVMF/OVMF_CODE.fd \u0026\u0026     ln -s ../qemu/ovmf-x86_64-vars.bin /usr/share/OVMF/OVMF_VARS.fd \u0026\u0026     ln -s ../qemu/ovmf-x86_64-code.bin /usr/share/OVMF/OVMF_CODE.cc.fd \u0026\u0026     ln -s ../qemu/ovmf-x86_64-smm-ms-code.bin /usr/share/OVMF/OVMF_CODE.secboot.fd \u0026\u0026     ln -s ../qemu/ovmf-x86_64-smm-ms-vars.bin /usr/share/OVMF/OVMF_VARS.secboot.fd"
        },
        {
          "created": "2022-10-31T09:20:10Z",
          "created_by": "/bin/sh -c #(nop) COPY file:d92844a853d96ba386e0a567731d6883199d107203c1ed4ce2851767f8ef0061 in /augconf "
        },
        {
          "created": "2022-10-31T09:20:14Z",
          "created_by": "/bin/sh -c augtool -f /augconf"
        },
        {
          "created": "2022-10-31T09:20:15Z",
          "created_by": "/bin/sh -c cd /var \u0026\u0026 rm -rf run \u0026\u0026 ln -s ../run ."
        },
        {
          "created": "2022-10-31T09:20:15Z",
          "created_by": "/bin/sh -c #(nop)  ENTRYPOINT [\"/usr/bin/virt-launcher\"]",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:20:15Z",
          "created_by": "/bin/sh -c obs-docker-support --uninstall"
        },
        {
          "created": "2022-10-31T09:20:16Z",
          "created_by": "/bin/sh -c #(nop)  LABEL org.openbuildservice.disturl=obs://build.suse.de/SUSE:Maintenance:26632/containerfile/641d484a746b4d4905fcb6697eb16c5d-virt-launcher-container.SUSE_SLE-15-SP4_Update",
          "empty_layer": true
        },
        {
          "created": "2022-10-31T09:20:25Z",
          "comment": "merge sha256:314c5859eb760caf676e1c1a460e06c515b636dd779be4306c6bbc3fc52835ce to sha256:7ba7f39b10a9b84125385dbddfc934ef95f64d7f3c9e443b5f22b30b4b07d6e2"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d",
          "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
        ]
      },
      "config": {
        "Entrypoint": [
          "/usr/bin/virt-launcher"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Image": "sha256:d3091d438ac4a0c55948f522ea9f9df9b1df7deec4d9a7fca770139c5fe7b45f",
        "Labels": {
          "com.suse.bci.base.created": "2022-10-17T19:25:54.369829359Z",
          "com.suse.bci.base.description": "Image for containers based on SUSE Linux Enterprise Server 15 SP4.",
          "com.suse.bci.base.disturl": "obs://build.suse.de/SUSE:Maintenance:26432/SUSE_SLE-15-SP4_Update_images/f22f99b997b5efff7bd2cf3a712f8c11-sles15-image.SUSE_SLE-15-SP4_Update",
          "com.suse.bci.base.eula": "sle-bci",
          "com.suse.bci.base.image-type": "sle-bci",
          "com.suse.bci.base.lifecycle-url": "https://www.suse.com/lifecycle",
          "com.suse.bci.base.reference": "registry.suse.com/suse/sle15:15.4.27.12.1",
          "com.suse.bci.base.release-stage": "released",
          "com.suse.bci.base.source": "https://sources.suse.com/SUSE:Maintenance:26432/sles15-image.SUSE_SLE-15-SP4_Update/f22f99b997b5efff7bd2cf3a712f8c11/",
          "com.suse.bci.base.supportlevel": "l3",
          "com.suse.bci.base.title": "SLE BCI 15 SP4 Base Container Image",
          "com.suse.bci.base.url": "https://www.suse.com/products/server/",
          "com.suse.bci.base.vendor": "SUSE LLC",
          "com.suse.bci.base.version": "15.4.27.12.1",
          "com.suse.eula": "sle-bci",
          "com.suse.image-type": "sle-bci",
          "com.suse.kubevirt.created": "2022-10-31T09:18:56.224795382Z",
          "com.suse.kubevirt.description": "Container to host VM processes for kubevirt",
          "com.suse.kubevirt.disturl": "obs://build.suse.de/SUSE:Maintenance:26632/containerfile/641d484a746b4d4905fcb6697eb16c5d-virt-launcher-container.SUSE_SLE-15-SP4_Update",
          "com.suse.kubevirt.reference": "registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0.16.5.2",
          "com.suse.kubevirt.title": "kubevirt virt-launcher container",
          "com.suse.kubevirt.version": "0.54.0.16.5.2",
          "com.suse.lifecycle-url": "https://www.suse.com/lifecycle",
          "com.suse.release-stage": "released",
          "com.suse.sle.base.created": "2022-10-17T19:25:54.369829359Z",
          "com.suse.sle.base.description": "Image for containers based on SUSE Linux Enterprise Server 15 SP4.",
          "com.suse.sle.base.disturl": "obs://build.suse.de/SUSE:Maintenance:26432/SUSE_SLE-15-SP4_Update_images/f22f99b997b5efff7bd2cf3a712f8c11-sles15-image.SUSE_SLE-15-SP4_Update",
          "com.suse.sle.base.eula": "sle-bci",
          "com.suse.sle.base.image-type": "sle-bci",
          "com.suse.sle.base.lifecycle-url": "https://www.suse.com/lifecycle",
          "com.suse.sle.base.reference": "registry.suse.com/suse/sle15:15.4.27.12.1",
          "com.suse.sle.base.release-stage": "released",
          "com.suse.sle.base.source": "https://sources.suse.com/SUSE:Maintenance:26432/sles15-image.SUSE_SLE-15-SP4_Update/f22f99b997b5efff7bd2cf3a712f8c11/",
          "com.suse.sle.base.supportlevel": "l3",
          "com.suse.sle.base.title": "SLE BCI 15 SP4 Base Container Image",
          "com.suse.sle.base.url": "https://www.suse.com/products/server/",
          "com.suse.sle.base.vendor": "SUSE LLC",
          "com.suse.sle.base.version": "15.4.27.12.1",
          "com.suse.supportlevel": "l3",
          "org.openbuildservice.disturl": "obs://build.suse.de/SUSE:Maintenance:26632/containerfile/641d484a746b4d4905fcb6697eb16c5d-virt-launcher-container.SUSE_SLE-15-SP4_Update",
          "org.opencontainers.image.created": "2022-10-31T09:18:56.224795382Z",
          "org.opencontainers.image.description": "Container to host VM processes for kubevirt",
          "org.opencontainers.image.source": "https://sources.suse.com/SUSE:Maintenance:26432/sles15-image.SUSE_SLE-15-SP4_Update/f22f99b997b5efff7bd2cf3a712f8c11/",
          "org.opencontainers.image.title": "kubevirt virt-launcher container",
          "org.opencontainers.image.url": "https://www.suse.com/products/server/",
          "org.opencontainers.image.vendor": "SUSE LLC",
          "org.opencontainers.image.version": "0.54.0.16.5.2",
          "org.opensuse.reference": "registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0.16.5.2"
        }
      }
    }
  },
  "Results": [
    {
      "Target": "registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0-150400.3.5.1 (suse linux enterprise server 15.4)",
      "Class": "os-pkgs",
      "Type": "suse linux enterprise server",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "SUSE-SU-2022:3781-1",
          "PkgID": "container-suseconnect@2.3.0-4.17.1.x86_64",
          "PkgName": "container-suseconnect",
          "InstalledVersion": "2.3.0-4.17.1",
          "FixedVersion": "2.3.0-150000.4.19.2",
          "Layer": {
            "Digest": "sha256:6cd4c278af4f9d705ed1fac96a9582090b81528b27321463e01c4bca8db39467",
            "DiffID": "sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d"
          },
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for container-suseconnect",
          "Description": "\nThis update of container-suseconnect is a rebuilt of the previous sources against the current security updated go compiler.\n",
          "Severity": "UNKNOWN",
          "References": [
            "https://bugzilla.suse.com/1204397",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012716.html",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223781-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3785-1",
          "PkgID": "curl@7.79.1-150400.5.6.1.x86_64",
          "PkgName": "curl",
          "InstalledVersion": "7.79.1-150400.5.6.1",
          "FixedVersion": "7.79.1-150400.5.9.1",
          "Layer": {
            "Digest": "sha256:6cd4c278af4f9d705ed1fac96a9582090b81528b27321463e01c4bca8db39467",
            "DiffID": "sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for curl",
          "Description": "This update for curl fixes the following issues:\n\n  - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).\n  - CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386).\n",
          "Severity": "HIGH",
          "References": [
            "https://bugzilla.suse.com/1204383",
            "https://bugzilla.suse.com/1204386",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012718.html",
            "https://www.suse.com/security/cve/CVE-2022-32221/",
            "https://www.suse.com/security/cve/CVE-2022-42916/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223785-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3785-1",
          "PkgID": "libcurl4@7.79.1-150400.5.6.1.x86_64",
          "PkgName": "libcurl4",
          "InstalledVersion": "7.79.1-150400.5.6.1",
          "FixedVersion": "7.79.1-150400.5.9.1",
          "Layer": {
            "Digest": "sha256:6cd4c278af4f9d705ed1fac96a9582090b81528b27321463e01c4bca8db39467",
            "DiffID": "sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for curl",
          "Description": "This update for curl fixes the following issues:\n\n  - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).\n  - CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386).\n",
          "Severity": "HIGH",
          "References": [
            "https://bugzilla.suse.com/1204383",
            "https://bugzilla.suse.com/1204386",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012718.html",
            "https://www.suse.com/security/cve/CVE-2022-32221/",
            "https://www.suse.com/security/cve/CVE-2022-42916/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223785-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3884-1",
          "PkgID": "libexpat1@2.4.4-150400.3.9.1.x86_64",
          "PkgName": "libexpat1",
          "InstalledVersion": "2.4.4-150400.3.9.1",
          "FixedVersion": "2.4.4-150400.3.12.1",
          "Layer": {
            "Digest": "sha256:532c888986d287fb7ba4ef84b841c934ef0ce41d6c9dae2856182e7e0d1259ea",
            "DiffID": "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for expat",
          "Description": "This update for expat fixes the following issues:\n\n  - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).\n",
          "Severity": "HIGH",
          "References": [
            "https://bugzilla.suse.com/1204708",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-November/012821.html",
            "https://www.suse.com/security/cve/CVE-2022-43680/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223884-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3784-1",
          "PkgID": "libtasn1@4.13-4.5.1.x86_64",
          "PkgName": "libtasn1",
          "InstalledVersion": "4.13-4.5.1",
          "FixedVersion": "4.13-150000.4.8.1",
          "Layer": {
            "Digest": "sha256:6cd4c278af4f9d705ed1fac96a9582090b81528b27321463e01c4bca8db39467",
            "DiffID": "sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for libtasn1",
          "Description": "This update for libtasn1 fixes the following issues:\n\n- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)\n",
          "Severity": "CRITICAL",
          "References": [
            "https://bugzilla.suse.com/1204690",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012715.html",
            "https://www.suse.com/security/cve/CVE-2021-46848/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223784-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3784-1",
          "PkgID": "libtasn1-6@4.13-4.5.1.x86_64",
          "PkgName": "libtasn1-6",
          "InstalledVersion": "4.13-4.5.1",
          "FixedVersion": "4.13-150000.4.8.1",
          "Layer": {
            "Digest": "sha256:6cd4c278af4f9d705ed1fac96a9582090b81528b27321463e01c4bca8db39467",
            "DiffID": "sha256:f21bc8c37320a5c0e0a89c8261f3c3cc718cbc1da20b132ee45dcc0f9eef587d"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for libtasn1",
          "Description": "This update for libtasn1 fixes the following issues:\n\n- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)\n",
          "Severity": "CRITICAL",
          "References": [
            "https://bugzilla.suse.com/1204690",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012715.html",
            "https://www.suse.com/security/cve/CVE-2021-46848/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223784-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:2260-1",
          "PkgID": "qemu-ipxe@1.0.0+-150400.37.8.2.noarch",
          "PkgName": "qemu-ipxe",
          "InstalledVersion": "1.0.0+-150400.37.8.2",
          "FixedVersion": "6.2.0-150400.37.5.3",
          "Layer": {
            "Digest": "sha256:532c888986d287fb7ba4ef84b841c934ef0ce41d6c9dae2856182e7e0d1259ea",
            "DiffID": "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for qemu",
          "Description": "This update for qemu fixes the following issues:\n\n- CVE-2022-26354: Fixed missing virtqueue detach on error can lead to memory leak (bsc#1198712)\n- CVE-2022-26353: Fixed map leaking on error during receive (bsc#1198711)\n- CVE-2021-4207: Fixed double fetch in qxl_cursor() can lead to heap buffer overflow (bsc#1198037)\n- CVE-2021-4206: Fixed integer overflow in cursor_alloc() can lead to heap buffer overflow (bsc#1198035)\n",
          "Severity": "HIGH",
          "References": [
            "https://bugzilla.suse.com/1197084",
            "https://bugzilla.suse.com/1198035",
            "https://bugzilla.suse.com/1198037",
            "https://bugzilla.suse.com/1198711",
            "https://bugzilla.suse.com/1198712",
            "https://bugzilla.suse.com/1199015",
            "https://bugzilla.suse.com/1199018",
            "https://bugzilla.suse.com/1199625",
            "https://bugzilla.suse.com/1199924",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-July/011391.html",
            "https://www.suse.com/security/cve/CVE-2021-4206/",
            "https://www.suse.com/security/cve/CVE-2021-4207/",
            "https://www.suse.com/security/cve/CVE-2022-26353/",
            "https://www.suse.com/security/cve/CVE-2022-26354/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20222260-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3795-1",
          "PkgID": "qemu-ipxe@1.0.0+-150400.37.8.2.noarch",
          "PkgName": "qemu-ipxe",
          "InstalledVersion": "1.0.0+-150400.37.8.2",
          "FixedVersion": "6.2.0-150400.37.8.2",
          "Layer": {
            "Digest": "sha256:532c888986d287fb7ba4ef84b841c934ef0ce41d6c9dae2856182e7e0d1259ea",
            "DiffID": "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for qemu",
          "Description": "This update for qemu fixes the following issues:\n\n- CVE-2022-0216: Fixed a use after free issue found in hw/scsi/lsi53c895a.c. (bsc#1198038)\n- CVE-2022-35414: Fixed an uninitialized read during address translation that leads to a crash. (bsc#1201367)\n",
          "Severity": "MEDIUM",
          "References": [
            "https://bugzilla.suse.com/1192115",
            "https://bugzilla.suse.com/1198038",
            "https://bugzilla.suse.com/1201367",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012725.html",
            "https://www.suse.com/security/cve/CVE-2022-0216/",
            "https://www.suse.com/security/cve/CVE-2022-35414/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223795-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:2260-1",
          "PkgID": "qemu-seabios@1.15.0_0_g2dd4b9b-150400.37.8.2.noarch",
          "PkgName": "qemu-seabios",
          "InstalledVersion": "1.15.0_0_g2dd4b9b-150400.37.8.2",
          "FixedVersion": "6.2.0-150400.37.5.3",
          "Layer": {
            "Digest": "sha256:532c888986d287fb7ba4ef84b841c934ef0ce41d6c9dae2856182e7e0d1259ea",
            "DiffID": "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for qemu",
          "Description": "This update for qemu fixes the following issues:\n\n- CVE-2022-26354: Fixed missing virtqueue detach on error can lead to memory leak (bsc#1198712)\n- CVE-2022-26353: Fixed map leaking on error during receive (bsc#1198711)\n- CVE-2021-4207: Fixed double fetch in qxl_cursor() can lead to heap buffer overflow (bsc#1198037)\n- CVE-2021-4206: Fixed integer overflow in cursor_alloc() can lead to heap buffer overflow (bsc#1198035)\n",
          "Severity": "HIGH",
          "References": [
            "https://bugzilla.suse.com/1197084",
            "https://bugzilla.suse.com/1198035",
            "https://bugzilla.suse.com/1198037",
            "https://bugzilla.suse.com/1198711",
            "https://bugzilla.suse.com/1198712",
            "https://bugzilla.suse.com/1199015",
            "https://bugzilla.suse.com/1199018",
            "https://bugzilla.suse.com/1199625",
            "https://bugzilla.suse.com/1199924",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-July/011391.html",
            "https://www.suse.com/security/cve/CVE-2021-4206/",
            "https://www.suse.com/security/cve/CVE-2021-4207/",
            "https://www.suse.com/security/cve/CVE-2022-26353/",
            "https://www.suse.com/security/cve/CVE-2022-26354/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20222260-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3795-1",
          "PkgID": "qemu-seabios@1.15.0_0_g2dd4b9b-150400.37.8.2.noarch",
          "PkgName": "qemu-seabios",
          "InstalledVersion": "1.15.0_0_g2dd4b9b-150400.37.8.2",
          "FixedVersion": "6.2.0-150400.37.8.2",
          "Layer": {
            "Digest": "sha256:532c888986d287fb7ba4ef84b841c934ef0ce41d6c9dae2856182e7e0d1259ea",
            "DiffID": "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for qemu",
          "Description": "This update for qemu fixes the following issues:\n\n- CVE-2022-0216: Fixed a use after free issue found in hw/scsi/lsi53c895a.c. (bsc#1198038)\n- CVE-2022-35414: Fixed an uninitialized read during address translation that leads to a crash. (bsc#1201367)\n",
          "Severity": "MEDIUM",
          "References": [
            "https://bugzilla.suse.com/1192115",
            "https://bugzilla.suse.com/1198038",
            "https://bugzilla.suse.com/1201367",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012725.html",
            "https://www.suse.com/security/cve/CVE-2022-0216/",
            "https://www.suse.com/security/cve/CVE-2022-35414/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223795-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:2260-1",
          "PkgID": "qemu-vgabios@1.15.0_0_g2dd4b9b-150400.37.8.2.noarch",
          "PkgName": "qemu-vgabios",
          "InstalledVersion": "1.15.0_0_g2dd4b9b-150400.37.8.2",
          "FixedVersion": "6.2.0-150400.37.5.3",
          "Layer": {
            "Digest": "sha256:532c888986d287fb7ba4ef84b841c934ef0ce41d6c9dae2856182e7e0d1259ea",
            "DiffID": "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for qemu",
          "Description": "This update for qemu fixes the following issues:\n\n- CVE-2022-26354: Fixed missing virtqueue detach on error can lead to memory leak (bsc#1198712)\n- CVE-2022-26353: Fixed map leaking on error during receive (bsc#1198711)\n- CVE-2021-4207: Fixed double fetch in qxl_cursor() can lead to heap buffer overflow (bsc#1198037)\n- CVE-2021-4206: Fixed integer overflow in cursor_alloc() can lead to heap buffer overflow (bsc#1198035)\n",
          "Severity": "HIGH",
          "References": [
            "https://bugzilla.suse.com/1197084",
            "https://bugzilla.suse.com/1198035",
            "https://bugzilla.suse.com/1198037",
            "https://bugzilla.suse.com/1198711",
            "https://bugzilla.suse.com/1198712",
            "https://bugzilla.suse.com/1199015",
            "https://bugzilla.suse.com/1199018",
            "https://bugzilla.suse.com/1199625",
            "https://bugzilla.suse.com/1199924",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-July/011391.html",
            "https://www.suse.com/security/cve/CVE-2021-4206/",
            "https://www.suse.com/security/cve/CVE-2021-4207/",
            "https://www.suse.com/security/cve/CVE-2022-26353/",
            "https://www.suse.com/security/cve/CVE-2022-26354/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20222260-1/"
          ]
        },
        {
          "VulnerabilityID": "SUSE-SU-2022:3795-1",
          "PkgID": "qemu-vgabios@1.15.0_0_g2dd4b9b-150400.37.8.2.noarch",
          "PkgName": "qemu-vgabios",
          "InstalledVersion": "1.15.0_0_g2dd4b9b-150400.37.8.2",
          "FixedVersion": "6.2.0-150400.37.8.2",
          "Layer": {
            "Digest": "sha256:532c888986d287fb7ba4ef84b841c934ef0ce41d6c9dae2856182e7e0d1259ea",
            "DiffID": "sha256:2e13cf9accd4b14c4fd85bfeb9a5d3303477c72eb12d77efacbcc18ca2f92541"
          },
          "SeveritySource": "suse-cvrf",
          "DataSource": {
            "ID": "suse-cvrf",
            "Name": "SUSE CVRF",
            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
          },
          "Title": "Security update for qemu",
          "Description": "This update for qemu fixes the following issues:\n\n- CVE-2022-0216: Fixed a use after free issue found in hw/scsi/lsi53c895a.c. (bsc#1198038)\n- CVE-2022-35414: Fixed an uninitialized read during address translation that leads to a crash. (bsc#1201367)\n",
          "Severity": "MEDIUM",
          "References": [
            "https://bugzilla.suse.com/1192115",
            "https://bugzilla.suse.com/1198038",
            "https://bugzilla.suse.com/1201367",
            "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012725.html",
            "https://www.suse.com/security/cve/CVE-2022-0216/",
            "https://www.suse.com/security/cve/CVE-2022-35414/",
            "https://www.suse.com/support/security/rating/",
            "https://www.suse.com/support/update/announcement/2022/suse-su-20223795-1/"
          ]
        }
      ]
    }
  ]
}

Output of trivy -v:

Version: 0.34.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-11-17 06:10:17.802062282 +0000 UTC
  NextUpdate: 2022-11-17 12:10:17.802061982 +0000 UTC
  DownloadedAt: 2022-11-17 06:24:00.211015865 +0000 UTC

Additional details (base image name, container registry info...):

Container image: registry.suse.com/suse/sles/15.4/virt-launcher:0.54.0-150400.3.5.1

[DmitriyLewen]

Hello @vasiliy-ul Thanks for your report!

I created #3199 with fix this problem. When it is merged - we will include this fix in the next release.

Regards, Dmitriy

[vasiliy-ul]

Hi @DmitriyLewen , thank you for the quick fix :+1: