False positive: GHSA-xg9f-g7g7-2323 (CVE-2023-25577) python3-Werkzeug in SLES 15.5 Ecosystem

[sekveaja]

What happened:

Scan on image that has python3-werkzeug-3.3.2-150400.23.1.x86_64 installed. It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High Werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High Werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium Werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low

JSON format:

"vulnerability": { "id": "GHSA-xg9f-g7g7-2323", "dataSource": "https://github.com/advisories/GHSA-xg9f-g7g7-2323", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-xg9f-g7g7-2323" ], "description": "High resource usage when parsing multipart form data with many fields", : : "relatedVulnerabilities": [ { "id": "CVE-2023-25577", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-25577", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1", "https://github.com/pallets/werkzeug/releases/tag/2.2.3", "https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323", : : "artifact": { "id": "a9289888e4eeeaa3", "name": "Werkzeug", "version": "1.0.1", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/Werkzeug-1.0.1-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },

What you expected to happen:

According to SUSE Advisory CVE-2023-25577 Patch for this CVE is applied from version python3-werkzeug-3.3.2-150400.23.1.x86_64

See with this link: https://www.suse.com/security/cve/CVE-2023-25577.html

SUSE Linux Enterprise Server 15 SP5 python3-Werkzeug >= 1.0.1-150300.3.3.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-Werkzeug-1.0.1-150300.3.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-Werkzeug-1.0.1-150300.3.3.1

Installed version in the container: python3-werkzeug-3.3.2-150400.23.1.x86_64

rpm -qf /usr/lib/python3.6/site-packages/Werkzeug-1.0.1-py3.6.egg-info/PKG-INFO

python3-Werkzeug-1.0.1-150300.3.3.1.noarch

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5 ADD https://rpmfind.net/linux/opensuse/distribution/leap/15.5/repo/oss/noarch/python3-Werkzeug-1.0.1-150300.3.3.1.noarch.rpm /tmp RUN zypper in -y --no-recommends /tmp/python3-Werkzeug-1.0.1-150300.3.3.1.noarch.rpm ENTRYPOINT [""] CMD ["bash"]

2. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-werkzeug:v1" .

3. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-werkzeug:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High Werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High Werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium Werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low libglib-2_0-0 2.70.5-150400.3.8.1 0:2.70.5-150400.3.11.1 rpm CVE-2024-34397 Low libopenssl1_1 1.1.1l-150500.17.25.1 0:1.1.1l-150500.17.28.2 rpm CVE-2024-2511 Medium libopenssl1_1-hmac 1.1.1l-150500.17.25.1 0:1.1.1l-150500.17.28.2 rpm CVE-2024-2511 Me

Anything else we need to know?: There was a similar issue that was opened and closed but real issue has not been addressed. https://github.com/anchore/grype/issues/1536.

Please investigate this ticket, as it is reproducible easily.

Environment:

$ grype --version grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"