We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What happened: Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed. It generates high vulnerability:
"vulnerability": { "id": "GHSA-ggxm-pgc9-g7fp", "dataSource": "GHSA-ggxm-pgc9-g7fp", "namespace": "github:language:ruby", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-ggxm-pgc9-g7fp" ],
: : "relatedVulnerabilities": [ { "id": "CVE-2021-31799", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-31799", "namespace": "nvd:cpe", "severity": "High", : : "artifact": { "id": "eaed7a04652749b6", "name": "rdoc", "version": "6.0.1.1", "type": "gem", "locations": [ { "path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/rdoc-6.0.1.1.gemspec", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" }
What you expected to happen:
According to SUSE Advisory: https://www.suse.com/security/cve/CVE-2021-31799.html
SUSE Linux Enterprise Server 15 SP5 libruby2_5-2_5 >= 2.5.9-4.20.1 ruby2.5 >= 2.5.9-4.20.1 ruby2.5-devel >= 2.5.9-4.20.1 ruby2.5-devel-extra >= 2.5.9-4.20.1 ruby2.5-stdlib >= 2.5.9-4.20.1 Patchnames: SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libruby2_5-2_5-2.5.9-150000.4.26.1 SUSE Linux Enterprise Module for Basesystem 15 SP5 GA ruby2.5-2.5.9-150000.4.26.1
The installed version in the container is ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64
rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/default/rdoc-6.0.1.1.gemspec ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64
It is more recent then minimal requirement from SUSE Advsiory.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1 ENTRYPOINT [""] CMD ["bash"]
docker build -t "suse15.5_test:v1" ./Dockerfile docker run -it suse15.5_test:v1 bash grype suse15.5_test:v1
Anything else we need to know?:
Environment: $ grype --version grype 0.76.0
bash-4.4$ cat /etc/release
NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered:
No branches or pull requests
What happened:
Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed.
It generates high vulnerability:
"vulnerability": {
"id": "GHSA-ggxm-pgc9-g7fp",
"dataSource": "GHSA-ggxm-pgc9-g7fp",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-ggxm-pgc9-g7fp"
],
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2021-31799",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-31799",
"namespace": "nvd:cpe",
"severity": "High",
:
:
"artifact": {
"id": "eaed7a04652749b6",
"name": "rdoc",
"version": "6.0.1.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/rdoc-6.0.1.1.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
What you expected to happen:
According to SUSE Advisory:
https://www.suse.com/security/cve/CVE-2021-31799.html
SUSE Linux Enterprise Server 15 SP5
libruby2_5-2_5 >= 2.5.9-4.20.1
ruby2.5 >= 2.5.9-4.20.1
ruby2.5-devel >= 2.5.9-4.20.1
ruby2.5-devel-extra >= 2.5.9-4.20.1
ruby2.5-stdlib >= 2.5.9-4.20.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libruby2_5-2_5-2.5.9-150000.4.26.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA ruby2.5-2.5.9-150000.4.26.1
The installed version in the container is ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64
rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/default/rdoc-6.0.1.1.gemspec
ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64
It is more recent then minimal requirement from SUSE Advsiory.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
docker build -t "suse15.5_test:v1" ./Dockerfile
docker run -it suse15.5_test:v1 bash
grype suse15.5_test:v1
$ grype --distro sles:15.5 suse15.5_test:v1
rdoc 6.0.1.1 6.1.2.1 gem GHSA-ggxm-pgc9-g7fp High
Anything else we need to know?:
Environment:
$ grype --version
grype 0.76.0
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: