False positive: GHSA-43fp-rhv2-5gv8 (CVE-2022-23491), GHSA-xqr8-7jwr-rhp7 (CVE-2023-37920) python3-certifi in SLES 15.5 Ecosystem

[sekveaja]

What happened:
Scan on image that has python3-certifi-2018.1.18-150000.3.3.1.noarch installed.
It generates vulnerability:

$ grype --distro sles:15.5 suse15.5_python3-certifi:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High (CVE-2023-37920)
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med (CVE-2022-23491)

JSON Format:

"vulnerability": {
"id": "GHSA-43fp-rhv2-5gv8",
"dataSource": "GHSA-43fp-rhv2-5gv8",
"namespace": "github:language:python",
"severity": "Medium",
"urls": [
"https://github.com/advisories/GHSA-43fp-rhv2-5gv8"
],
:
"relatedVulnerabilities": [
{
"id": "CVE-2022-23491",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-23491",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8",
"https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ"
],
:
:
"artifact": {
"id": "dcce5227fb35985c",
"name": "certifi",
"version": "2018.1.18",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
{
"path": "/usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/top_level.txt",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}

What you expected to happen:

According to SUSE Advisory CVE-2022-23491
Patch for this CVE is applied from version python3-certifi >= 2018.1.18-150000.3.3.1

See with this link: https://www.suse.com/security/cve/CVE-2022-23491.html

SUSE Linux Enterprise Server 15 SP5
python3-certifi >= 2018.1.18-150000.3.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-certifi-2018.1.18-150000.3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-certifi-2018.1.18-150000.3

Installed version in the container: python3-certifi-2018.1.18-150000.3.3.1

rpm -qf /usr/lib/python3.6/site-packages/certifi-2018.1.18-py3.6.egg-info/PKG-INFO

python3-certifi-2018.1.18-150000.3.3.1.noarch

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generates vulnerabilities.

How to reproduce it (as minimally and precisely as possible):

1. Create the Dockerfile with this content:

          FROM registry.suse.com/suse/sle15:15.5
          RUN zypper in -y --no-recommends  python3-certifi=2018.1.18-150000.3.3.1
          ENTRYPOINT [""]
          CMD ["bash"]
   

2. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-certifi:v1" .

3. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-certifi:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
certifi 2018.1.18 2023.7.22 python GHSA-xqr8-7jwr-rhp7 High
certifi 2018.1.18 2022.12.07 python GHSA-43fp-rhv2-5gv8 Med

Anything else we need to know?:

Related issue that has been closed:
#1510
#1172

However, this problem is still present with SUSE Ecosystem.
And can be reproduced easily, we are running with Grype 0.78.0, quite a recent version,

Environment:

$ grype --version
grype 0.78.0

In container image eco-system:
bash-4.4$ cat /etc/release

NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"