Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positive: CVE-2023-37920 reported for certifi library in python #1417

Closed
chidambaranathan-r opened this issue Aug 4, 2023 · 2 comments · Fixed by #1510
Closed

False Positive: CVE-2023-37920 reported for certifi library in python #1417

chidambaranathan-r opened this issue Aug 4, 2023 · 2 comments · Fixed by #1510
Assignees
Labels
bug Something isn't working false-positive

Comments

@chidambaranathan-r
Copy link

What happened:

I have a Python Image "certifi" installed with "2023.7.22". As per GHSA-xqr8-7jwr-rhp7, this version is not impacted.

But grype is marking this CVE as applicable for my image:

   "matchDetails": [
    {
     "type": "exact-direct-match",
     "matcher": "python-matcher",
     "searchedBy": {
      "language": "python",
      "namespace": "github:language:python",
      "package": {
       "name": "certifi",
       "version": "2023.7.22"
      }
     },
     "found": {
      "versionConstraint": ">=2015.04.28,<2023.07.22 (python)",
      "vulnerabilityID": "GHSA-xqr8-7jwr-rhp7"
     }
    }
   ],

versionConstraint used by the matcher is incorrect. As per GH advisory, patched versions are >=2023.07.22.

What you expected to happen:
Ideally, grype should not report the patched version as vulnerable.

How to reproduce it (as minimally and precisely as possible):
Scan any python image containing certifi with version 2023.07.22.

Environment:

  • Output of grype version:
bash-4.4# grype version
Application:          grype
Version:              0.65.0
Syft Version:         v0.86.1
BuildDate:            2023-08-01T00:36:47Z
GitCommit:            c97048baa1595a481a26f7add8b18d59ec65838a
GitDescription:       v0.65.0
Platform:             linux/amd64
GoVersion:            go1.20.1
Compiler:             gc
Supported DB Schema:  5
@chidambaranathan-r chidambaranathan-r added the bug Something isn't working label Aug 4, 2023
@chidambaranathan-r chidambaranathan-r changed the title False Positive: CVE-2023-37920 reported for certifi library in python False Positive: CVE-2018-15192 reported for certifi library in python Aug 4, 2023
@chidambaranathan-r chidambaranathan-r changed the title False Positive: CVE-2018-15192 reported for certifi library in python False Positive: CVE-2023-37920 reported for certifi library in python Aug 4, 2023
@pcreager23
Copy link

pcreager23 commented Aug 9, 2023

I will point out that the lack of leading zeroes in any of these dated versions is standard practice for Python, per canonical PEP 440, so 2023.7.22 is the correct format.
Ref: Version specifiers

trisberg added a commit to vmware-tanzu/application-accelerator-samples that referenced this issue Aug 16, 2023
- there is a Grype issue for this failure - anchore/grype#1417
trisberg added a commit to vmware-tanzu/application-accelerator-samples that referenced this issue Aug 16, 2023
- there is a Grype issue for this failure - anchore/grype#1417
@spiffcs
Copy link
Contributor

spiffcs commented Aug 17, 2023

Linking #1172 to this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working false-positive
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

4 participants