False Positive: CVE-2023-25577 python3-Werkzeug-1.0.1-150300.3.3.1

[sekveaja]

**What happened

When running Grype against a container that has python3-Werkzeug-1.0.1-150300.3.3.1.noarch installed.
It's end-up to list this vulnerability GHSA-xg9f-g7g7-2323
which is CVE-2023-25577.

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
: : : : :
Werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High

What you expected to happen:

The container is based on SLES:15SP4 and the CVE was fixed and released in python3-Werkzeug-1.0.1-150300.3.3.1.

See SLES reference for CVE-2023-25577

Hence pyhton3-Wekzeug has fixed on:
-version: 1.0.1
-release: 150300.3.3.1

If Grype looks only at version level (from Container) and take NVD as the reference, that will be automatically a vulnerability since NVD fixed version is higher i.e. 2.2.3
If OS distribution has fixed in their minor release i.e. 150300.3.31, can Grype take reference from the OS distribution 1.0.1.150300.3.31 => ?

There is some odd situation too, if download and run the scan.
It doesn’t provide vulnerability.

wget https://rpmfind.net/linux/opensuse/distribution/leap/15.5/repo/oss/noarch/python3-Werkzeug-1.0.1-150300.3.3.1.noarch.rpm

]$ grype --distro sles:15.4 ./python3-Werkzeug-1.0.1-150300.3.3.1.noarch.rpm
✔ Vulnerability DB [no update available]
✔ Indexed file system /tmp
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored

No vulnerabilities found

Some info of the container:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
DOCUMENTATION_URL=https://documentation.suse.com/

bash-4.4$ which rpm
/usr/bin/rpm
bash-4.4$ rpm -qa | grep -i Werkzeug
python3-Werkzeug-1.0.1-150300.3.3.1.noarch

Some info on the environment:

$ cat /etc/release
CentOS Stream release 8
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL=https://centos.org/
BUG_REPORT_URL=https://bugzilla.redhat.com/
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"
CentOS Stream release 8
CentOS Stream release 8
cpe:/o:centos:centos:8

$ grype version
Application: grype
Version: 0.65.2
Syft Version: v0.87.1
BuildDate: 2023-08-18T00:36:56Z
GitCommit: 51223cd
GitDescription: v0.65.2
Platform: linux/amd64
GoVersion: go1.20.1
Compiler: gc
Supported DB Schema: 5

[sekveaja]

This problem is the same issue as #1541 where any Python package has patch from the OS distributor, once the RPM is extracted or installed, we are loosing sight of the patch release information.
Even though, running --distro parameter, the tool at this point has no idea that extracted RPM contents are from a specific patch release.
Unless, you are able to run rpm command line on any file to locate the exact RPM name (rpm -qf <any_file>)
Then, look into the RPM information regarding the patch release with rpm -qi .
But, there is a tricky part, you need to be in the container to view that eco-system and rpm cli needs to exist as well.

We can close this ticket and keep tracking on #1541, since there are many example there.

Thanks

[kzantow]

Thanks for the update @sekveaja -- closing this in favor of #1541