grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

False positive: GHSA-q2q7-5pp4-w6pg (CVE-2021-33503) in SLES 15.5

Open sekveaja opened this issue 8 months ago • 0 comments

What happened: Scan on image that has python3-urllib3-1.25.10-150300.4.9.1.noarch installed. It generates high vulnerability:

$ grype --distro sles15.5 suse15.5_python3-urllib3:v1 urllib3 1.25.10 1.26.5 python GHSA-q2q7-5pp4-w6pg High urllib3 1.25.10 1.26.17 python GHSA-v845-jxx5-vc9f Medium urllib3 1.25.10 1.26.18 python GHSA-g4mx-q9vg-27p4 Medium

"vulnerability": { "id": "GHSA-q2q7-5pp4-w6pg", "dataSource": "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg" : : "relatedVulnerabilities": [ { "id": "CVE-2021-33503", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-33503", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-q2q7-5pp4-w6pg", "https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec", : : "artifact": { "id": "34d78392a0ba7992", "name": "urllib3", "version": "1.25.10", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/urllib3-1.25.10-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },

What you expected to happen:

According to SUSE Advisory: https://www.suse.com/security/cve/CVE-2021-33503.html

The CVE has been fixed from version python3-urllib3 >= 1.25.10-4.3.1

SUSE Linux Enterprise Server 15 SP5 python3-urllib3 >= 1.25.10-4.3.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-urllib3-1.25.10-4.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-urllib3-1.25.10-4.3.1

Installed version version in the container:

python3-urllib3-1.25.10-150300.4.9.1.noarch

Conclusion: Installed version exceed minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

1)Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-urllib3=1.25.10-150300.4.9.1 ENTRYPOINT [""] CMD ["bash"]

  1. Build an image from Dockerfile

docker build -t "suse15.5_python3-urllib3:v1" .

  1. Test with Grype now

$ grype --distro sles15.5 suse15.5_python3-urllib3:v1 urllib3 1.25.10 1.26.5 python GHSA-q2q7-5pp4-w6pg High urllib3 1.25.10 1.26.17 python GHSA-v845-jxx5-vc9f Medium urllib3 1.25.10 1.26.18 python GHSA-g4mx-q9vg-27p4 Medium

Environment:

$ grype --version grype 0.76.0

In container image eco-system: bash-4.4$ cat /etc/release

NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"

sekveaja avatar May 30 '24 17:05 sekveaja