False Positive: CVE-2023-37920 reported for certifi library in python

[chidambaranathan-r]

What happened:

I have a Python Image "certifi" installed with "2023.7.22". As per GHSA-xqr8-7jwr-rhp7, this version is not impacted.

But grype is marking this CVE as applicable for my image:

   "matchDetails": [
    {
     "type": "exact-direct-match",
     "matcher": "python-matcher",
     "searchedBy": {
      "language": "python",
      "namespace": "github:language:python",
      "package": {
       "name": "certifi",
       "version": "2023.7.22"
      }
     },
     "found": {
      "versionConstraint": ">=2015.04.28,<2023.07.22 (python)",
      "vulnerabilityID": "GHSA-xqr8-7jwr-rhp7"
     }
    }
   ],

versionConstraint used by the matcher is incorrect. As per GH advisory, patched versions are >=2023.07.22.

What you expected to happen:
Ideally, grype should not report the patched version as vulnerable.

How to reproduce it (as minimally and precisely as possible):
Scan any python image containing certifi with version 2023.07.22.

Environment:

• Output of grype version:

bash-4.4# grype version
Application:          grype
Version:              0.65.0
Syft Version:         v0.86.1
BuildDate:            2023-08-01T00:36:47Z
GitCommit:            c97048baa1595a481a26f7add8b18d59ec65838a
GitDescription:       v0.65.0
Platform:             linux/amd64
GoVersion:            go1.20.1
Compiler:             gc
Supported DB Schema:  5

[pcreager23]

I will point out that the lack of leading zeroes in any of these dated versions is standard practice for Python, per canonical PEP 440, so 2023.7.22 is the correct format.
Ref: Version specifiers

[spiffcs]

Linking #1172 to this