You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SUSE Linux Enterprise Server 15 SP5
python3-certifi >= 2018.1.18-150000.3.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-certifi-2018.1.18-150000.3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-certifi-2018.1.18-150000.3
Installed version in the container: python3-certifi-2018.1.18-150000.3.3.1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med
What happened:
Scan on image that has python3-certifi-2018.1.18-150000.3.3.1.noarch installed.
It generates vulnerability:
$ grype --distro sles:15.5 suse15.5_python3-certifi:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High (CVE-2023-37920)
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med (CVE-2022-23491)
JSON Format:
"vulnerability": {
"id": "GHSA-43fp-rhv2-5gv8",
"dataSource": "GHSA-43fp-rhv2-5gv8",
"namespace": "github:language:python",
"severity": "Medium",
"urls": [
"https://github.com/advisories/GHSA-43fp-rhv2-5gv8"
],
:
"relatedVulnerabilities": [
{
"id": "CVE-2022-23491",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-23491",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8",
"https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ"
],
:
:
"artifact": {
"id": "dcce5227fb35985c",
"name": "certifi",
"version": "2018.1.18",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
{
"path": "/usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/top_level.txt",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
What you expected to happen:
According to SUSE Advisory CVE-2022-23491
Patch for this CVE is applied from version python3-certifi >= 2018.1.18-150000.3.3.1
See with this link: https://www.suse.com/security/cve/CVE-2022-23491.html
SUSE Linux Enterprise Server 15 SP5
python3-certifi >= 2018.1.18-150000.3.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-certifi-2018.1.18-150000.3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-certifi-2018.1.18-150000.3
Installed version in the container: python3-certifi-2018.1.18-150000.3.3.1
rpm -qf /usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/PKG-INFO
Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generates vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
Create the Dockerfile with this content:
Build an image from Dockerfile
$ docker build -t "suse15.5_python3-certifi:v1" .
$ grype --distro sles:15.5 suse15.5_python3-certifi:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med
Anything else we need to know?:
Related issue that has been closed:
#1510
#1172
However, this problem is still present with SUSE Ecosystem.
And can be reproduced easily, we are running with Grype 0.78.0, quite a recent version,
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: