We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed. It generates critical vulnerability
"vulnerability": { "id": "GHSA-jvgm-pfqv-887x", "dataSource": "GHSA-jvgm-pfqv-887x", "namespace": "github:language:ruby", "severity": "Critical", "urls": [ "https://github.com/advisories/GHSA-jvgm-pfqv-887x" ], : : "relatedVulnerabilities": [ { "id": "CVE-2016-7954", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-7954", "namespace": "nvd:cpe", "severity": "Critical", "urls": [
"artifact": { "id": "e636f1dfae2e620b", "name": "bundler", "version": "1.16.1", "type": "gem", "locations": [ { "path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" } ], "language": "ruby",
What you expected to happen:
According to SUSE Advisory CVE-2016-7954 is not affected on SLES 15.5
https://www.suse.com/security/cve/CVE-2016-7954.html
SUSE Linux Enterprise Server 15 SP5 rubygem-bundler Not affected SUSE Linux Enterprise Server 15 SP6 rubygem-bundler Not affected
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1 ENTRYPOINT [""] CMD ["bash"]
docker build -t "suse15.5_test:v1" ./Dockerfile grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <== Critical Vulnerability generated bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High
Adding distribution $ grype --distro sles:15.5 suse15.5_test:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <===== No change bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
Anything else we need to know?:
Environment:
Output of grype version: grype 0.76.0
grype version
OS (e.g: cat /etc/os-release or similar): $ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"
cat /etc/os-release
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed.
It generates critical vulnerability
"vulnerability": {
"id": "GHSA-jvgm-pfqv-887x",
"dataSource": "GHSA-jvgm-pfqv-887x",
"namespace": "github:language:ruby",
"severity": "Critical",
"urls": [
"https://github.com/advisories/GHSA-jvgm-pfqv-887x"
],
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2016-7954",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-7954",
"namespace": "nvd:cpe",
"severity": "Critical",
"urls": [
"artifact": {
"id": "e636f1dfae2e620b",
"name": "bundler",
"version": "1.16.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
],
"language": "ruby",
What you expected to happen:
According to SUSE Advisory CVE-2016-7954 is not affected on SLES 15.5
https://www.suse.com/security/cve/CVE-2016-7954.html
SUSE Linux Enterprise Server 15 SP5 rubygem-bundler Not affected
SUSE Linux Enterprise Server 15 SP6 rubygem-bundler Not affected
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
docker build -t "suse15.5_test:v1" ./Dockerfile
grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <== Critical Vulnerability generated
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium
date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High
Adding distribution
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <===== No change
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
Anything else we need to know?:
Environment:
Output of
grype version
: grype 0.76.0OS (e.g:
cat /etc/os-release
or similar):$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: