False positive: GHSA-j8r2-6x86-q33q (CVE-2023-32681) python3-requests GHSA-5xp3-jfq3-5q8x (CVE-2021-3572) python3-pip #1984
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on image that has python3-requests-2.25.1-150300.3.6.1.noarch and python3-pip-20.0.2-150400.20.1.noarch installed.
It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium
pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium
What you expected to happen:
According to SUSE Advisory CVE-2023-32681
Patch for this CVE is applied from version python3-requests >= 2.24.0-150300.3.3.1
See with this link: https://www.suse.com/security/cve/CVE-2023-32681.html
SUSE Linux Enterprise Server 15 SP4
python3-requests >= 2.24.0-150300.3.3.1
But package that is installed in the container: python3-requests-2.25.1-150300.3.6.1
According to SUSE Advisory CVE-2021-3572
Patch for this CVE is applied from version python3-pip >= 20.0.2-150400.15.6
See with this link: https://www.suse.com/security/cve/CVE-2021-3572.html
SUSE Linux Enterprise Server 15 SP4
python3-pip >= 20.0.2-150400.15.6
But package that is installed in the container: python3-pip-20.0.2-150400.20.1
To resume:
Installed version in the container:
python3-requests-2.25.1-150300.3.6.1.noarch
python3-pip-20.0.2-150400.20.1.noarch
SUSE Linux Enterprise Server 15 SP4 minimal requirement for the those CVE.
python3-requests >= 2.24.0-150300.3.3.1
python3-pip >= 20.0.2-150400.15.6
Conclusion: Installed version meet the minimal requirement patch from SLES 15.4 but Grype generate vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.4
RUN zypper in -y --no-recommends python3-pip=20.0.2-150400.20.1
RUN zypper in -y --no-recommends python3-requests=2.25.1-150300.3.6.1
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.4_pip_request:v1" .
$ grype --distro sles:15.4 suse15.4_pip_request:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium
pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium
py 1.10.0 python GHSA-w596-4wvx-j9j6 High
python3 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium
python3-base 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: