-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive: CVE-2023-37920 reported for certifi library in python #1417
Labels
Comments
chidambaranathan-r
changed the title
False Positive: CVE-2023-37920 reported for certifi library in python
False Positive: CVE-2018-15192 reported for certifi library in python
Aug 4, 2023
chidambaranathan-r
changed the title
False Positive: CVE-2018-15192 reported for certifi library in python
False Positive: CVE-2023-37920 reported for certifi library in python
Aug 4, 2023
I will point out that the lack of leading zeroes in any of these dated versions is standard practice for Python, per canonical PEP 440, so |
trisberg
added a commit
to vmware-tanzu/application-accelerator-samples
that referenced
this issue
Aug 16, 2023
- there is a Grype issue for this failure - anchore/grype#1417
trisberg
added a commit
to vmware-tanzu/application-accelerator-samples
that referenced
this issue
Aug 16, 2023
- there is a Grype issue for this failure - anchore/grype#1417
Linking #1172 to this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
I have a Python Image "certifi" installed with "2023.7.22". As per GHSA-xqr8-7jwr-rhp7, this version is not impacted.
But grype is marking this CVE as applicable for my image:
versionConstraint
used by the matcher is incorrect. As per GH advisory, patched versions are>=2023.07.22
.What you expected to happen:
Ideally, grype should not report the patched version as vulnerable.
How to reproduce it (as minimally and precisely as possible):
Scan any python image containing certifi with version
2023.07.22
.Environment:
grype version
:The text was updated successfully, but these errors were encountered: