False positive: GHSA-m2qf-hxjv-5gpq (CVE-2023-30861) python3-Flash in SLES 15.5 Ecosystem

[sekveaja]

What happened:

Scan on image that has python3-Flask-1.0.4-150400.7.64.noarch installed.
It generates high vulnerability:

NAME            INSTALLED        FIXED-IN              TYPE       VULNERABILITY        SEVERITY
Flask               1.0.4                  2.2.5                    python     GHSA-m2qf-hxjv-5gpq  High
Jinja2              2.10.1                 3.1.4                    python     GHSA-h75v-3vvj-5mfj  Medium
Jinja2              2.10.1                 3.1.3                    python     GHSA-h5c8-rqwp-cp95  Medium

JSON format:

   "vulnerability": {
    "id": "GHSA-m2qf-hxjv-5gpq",
    "dataSource": "https://github.com/advisories/GHSA-m2qf-hxjv-5gpq",
    "namespace": "github:language:python",
    "severity": "High",
    "urls": [
     "https://github.com/advisories/GHSA-m2qf-hxjv-5gpq"
    ],
    "description": "Flask vulnerable to possible disclosure of permanent session cookie",
:
:
   "relatedVulnerabilities": [
    {
     "id": "CVE-2023-30861",
     "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861",
     "namespace": "nvd:cpe",
     "severity": "High",
     "urls": [
      "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b",
      "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965",
      "https://github.com/pallets/flask/releases/tag/2.2.5",
:
:
   "artifact": {
    "id": "43f7396ee5913efd",
    "name": "Flask",
    "version": "1.0.4",
    "type": "python",
    "locations": [
     {
      "path": "/usr/lib/python3.6/site-packages/Flask-1.0.4-py3.6.egg-info/PKG-INFO",
      "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
     },

What you expected to happen:

According to SUSE Advisory CVE-2023-30861
Patch for this CVE is applied from version python3-Flask-1.0.4-150400.7.64.noarch

See with this link: https://www.suse.com/security/cve/CVE-2023-30861.html

SUSE Linux Enterprise Server 15 SP5
python3-Flask >= 1.0.4-150400.3.3.1
Patchnames:
SUSE-SLE-Module-Basesystem-15-SP5-2023-2263

Installed version in the container: python3-flask-3.3.2-150400.23.1.x86_64

# rpm -qf /usr/lib/python3.6/site-packages/Flask-1.0.4-py3.6.egg-info/PKG-INFO
python3-Flask-1.0.4-150400.7.64.noarch

Conclusion: Installed version is more than the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends  python3-Flask=1.0.4-150400.7.64
ENTRYPOINT [""]
CMD ["bash"]

2. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-flask:v1" .

3. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-flask:v1

NAME                INSTALLED              FIXED-IN                 TYPE       VULNERABILITY        SEVERITY
Flask               1.0.4                  2.2.5                    python     GHSA-m2qf-hxjv-5gpq  High
Jinja2              2.10.1                 3.1.4                    python     GHSA-h75v-3vvj-5mfj  Medium
Jinja2              2.10.1                 3.1.3                    python     GHSA-h5c8-rqwp-cp95  Medium

Environment:

$ grype --version
grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

[kzantow]

Blocked by anchore/vunnel#626