Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GHSA-w596-4wvx-j9j6 (CVE-2022-42969) in SLES 15.5 Ecosystem #1929

Open
sekveaja opened this issue Jun 11, 2024 · 0 comments
Open

False positive: GHSA-w596-4wvx-j9j6 (CVE-2022-42969) in SLES 15.5 Ecosystem #1929

sekveaja opened this issue Jun 11, 2024 · 0 comments
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

What happened:

Scan on image that has python-py-1.10.0-150100.5.12.1.noarch installed.
It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
py 1.10.0 python GHSA-w596-4wvx-j9j6 High

JSON format:

"vulnerability": {
"id": "GHSA-w596-4wvx-j9j6",
"dataSource": "GHSA-w596-4wvx-j9j6",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-w596-4wvx-j9j6"
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2022-42969",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
:
:
"artifact": {
"id": "8619b49f03ad7ee0",
"name": "py",
"version": "1.10.0",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/py-1.10.0-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},

What you expected to happen:

According to SUSE Advisory CVE-2022-42969
Patch for this CVE is applied from version python-py-1.10.0-150100.5.12.1

See with this link: https://www.suse.com/security/cve/CVE-2022-42969.html

SUSE Linux Enterprise Server 15 SP5
python3-py >= 1.10.0-150100.5.12.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-py-1.10.0-150100.5.12.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-py-1.10.0-150100.5.12.1

Installed version in the container: python3-py-1.10.0-150100.5.12.1.noarch

rpm -qf /usr/lib/python3.6/site-packages/py-1.10.0-py3.6.egg-info/PKG-INFO

python3-py-1.10.0-150100.5.12.1.noarch

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-py=1.10.0-150100.5.12.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-py:v1" .

  1. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-py:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
py 1.10.0 python GHSA-w596-4wvx-j9j6 High

Environment:

$ grype --version
grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @sekveaja