False positive: GHSA-x4qr-2fvf-3mr5 (CVE-2023-0286), GHSA-jfhm-5ghh-2f97 (CVE-2023-49083) in SLES 15.5 Ecosystem but trigger by cryptography

[sekveaja]

What happened:

Scan on image that has python3-cryptography-3.3.2-150400.23.1.x86_64 installed.
It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 3.3.2 39.0.1 python GHSA-x4qr-2fvf-3mr5 High
cryptography 3.3.2 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 3.3.2 39.0.1 python GHSA-w7pp-m8wf-vj6r Medium
cryptography 3.3.2 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 3.3.2 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 3.3.2 41.0.4 python GHSA-v8gr-m533-ghj9 Low
cryptography 3.3.2 41.0.3 python GHSA-jm77-qphf-c4w8 Low
cryptography 3.3.2 41.0.0 python GHSA-5cpq-8wj7-hf2v Low

JSON format:

"vulnerability": {
"id": "GHSA-x4qr-2fvf-3mr5",
"dataSource": "GHSA-x4qr-2fvf-3mr5",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-x4qr-2fvf-3mr5"
],
"description": "Vulnerable OpenSSL included in cryptography wheels",
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2023-0286",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt",
"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig",
:
:
"artifact": {
"id": "38aca2c4012b270d",
"name": "cryptography",
"version": "3.3.2",
"type": "python",
"locations": [
{
"path": "/usr/lib64/python3.6/site-packages/cryptography-3.3.2-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},

What you expected to happen:

According to SUSE Advisory CVE-2023-0286
Patch for this CVE is already fixed.

See with this link: https://www.suse.com/security/cve/CVE-2023-0286.html

SUSE Linux Enterprise Server 15 SP5 openssl Not affected
SUSE Linux Enterprise Server 15 SP5 openssl-1_0_0 Released
SUSE Linux Enterprise Server 15 SP5 openssl-1_1 Already fixed
SUSE Linux Enterprise Server 15 SP5 openssl-3 Already fixed

Conclusion: Issue with CVE-2023-0286 is related to Openssl according to NVD.
As for SUSE advisory, this CVE is already fixed.
Grype is pointing to an artifact that is related to cryptography where cryptography may include an older
version of Openssl.
There is something that Grype doesn't take account in this case, the dependency.
Cryptography requires Openssl but most OS provider is already patched, upgraded, fixed in their newest
release or minor release.
It is good to flag, however, it is definitely a false positive for an ecosystem that already has the fixes of
Openssl.

How to reproduce it (as minimally and precisely as possible):

1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-cryptography=3.3.2-150400.23.1.x86_64
ENTRYPOINT [""]
CMD ["bash"]

2. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-cryptography:v1" .

3. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-cryptography:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 3.3.2 39.0.1 python GHSA-x4qr-2fvf-3mr5 High
cryptography 3.3.2 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 3.3.2 39.0.1 python GHSA-w7pp-m8wf-vj6r Medium
cryptography 3.3.2 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 3.3.2 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 3.3.2 41.0.4 python GHSA-v8gr-m533-ghj9 Low
cryptography 3.3.2 41.0.3 python GHSA-jm77-qphf-c4w8 Low
cryptography 3.3.2 41.0.0 python GHSA-5cpq-8wj7-hf2v Low

Environment:
$ grype --version
grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"