False positive: GHSA-xqr8-7jwr-rhp7 in SUSE Eco-system

[sekveaja]

What happened:

Running on a container that has Python certifi installed, then get the following.
certifi 2022.12.7 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High

What you expected to happen:

According to SUSE Advisory this issue is not affected in SLES 15 SP4.
Therefore, it is a false positive in SLES 15 SP4 eco-system.

Here is the link from SUSE Advisory: https://www.suse.com/security/cve/CVE-2023-37920.html
SUSE Linux Enterprise Server 15 SP4 | python-certifi | Not affected.

From Grype Json log file it indicates the fault to the following file:
"path": "/usr/lib/python3.6/site-packages/certifi-2022.12.7-py3.6.egg-info/PKG-INFO"

And the file is belonged to this package:
rpm -qf /usr/lib/python3.6/site-packages/certifi-2022.12.7-py3.6.egg-info/PKG-INFO

python3-certifi-2022.12.7-150000.1.4.noarch

How to reproduce it (as minimally and precisely as possible):

build an image with SUSE
Install this package python3-certifi-2022.12.7-150000.1.4.noarch if available.
On public domain, only this version python3-certifi=2018.1.18-150000.3.3.1 is available.
However, enough to reproduce the issue.

Please try this Dockerfile to reproduce it.

 FROM registry.suse.com/suse/sle15:15.4
 RUN zypper in -y --no-recommends **python3-certifi=2018.1.18-150000.3.3.1**
 ENTRYPOINT [""] 
 CMD ["bash"]

Build and test:

docker build -t "suse15.4_test:v1" .
grype suse15.4_test:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Medium
glibc 2.31-150300.63.1 0:2.31-150300.74.1 rpm CVE-2024-2961 High

Environment:

• Output of grype version: grype 0.74.7

• OS (e.g: cat /etc/os-release or similar): SUSE Linux Enterprise Server 15 SP4