False Positive: GHSA-5mj6-643f-2g85 (CVE-2013-2256),.... python3-nova Openstack #1978
Labels
bug
Something isn't working
Comments
sekveaja
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on image that has python3-nova-22.2.2.dev15-1000.R11A02.noarch installed
It generates vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nova 22.2.2.dev15 2013.2.4 python GHSA-xjmj-p278-4jp5 Medium
nova 22.2.2.dev15 2014.1.4 python GHSA-x8xr-rm9r-7mvf Medium
nova 22.2.2.dev15 22.2.3 python GHSA-vqp6-j452-j6wp Medium
nova 22.2.2.dev15 2014.2.4 python GHSA-mfmj-gwg3-vhw7 Medium
nova 22.2.2.dev15 2013.2 python GHSA-j6xh-q826-55jw Medium
nova 22.2.2.dev15 2014.1.3 python GHSA-92hc-c226-32q7 Medium
nova 22.2.2.dev15 24.1.2 python GHSA-7h75-hwxx-qpgc Medium
nova 22.2.2.dev15 2014.2.4 python GHSA-67rh-9p29-vrxr Medium
nova 22.2.2.dev15 2013.1.3 python GHSA-5mj6-643f-2g85 Medium
nova 22.2.2.dev15 2014.1.4 python GHSA-43hc-pwvx-pmfg Medium
nova 22.2.2.dev15 23.2.2 python GHSA-v725-c588-h936 Low
What you expected to happen:
According to this link for Openstack:
https://releases.openstack.org/teams/nova.html
There is a change in version convention from Liberty release until to today.
Old Serie:
Kilo release series is
2015.1.4
2015.1.3
2015.1.2
2015.1.1
2015.1.0
New version convention:
From Liberty release series to today
12.0.6
12.0.5
12.0.4
:
The release that is reported for this issue is Victoria version 22.2.2.:
( 9 release more recent than Liberty series)
22.4.0
22.3.0
22.2.2 <---
22.2.1
:
Conclusion:
Due to the change of version from Liberty release series, the tool is not really taking account of the change.
If it takes only reference from from NVD or GitHub, I believe it is wrong in this case.
How to reproduce it (as minimally and precisely as possible):
It is not possible to find this package python3-nova-22.2.2.dev15-1000.R11A02.noarch
But there is a way to reproduce easily:
Get nova-22.2.2.tar.gz file from Openstack
wget https://tarballs.openstack.org/nova/nova-22.2.2.tar.gz
Run Grype
$ grype nova-22.2.2.tar.gz
✔ Vulnerability DB [no update available]
✔ Indexed file system /tmp/syft-archive-contents-854829737
✔ Cataloged contents d3310365e593a66ba9c3161afd83441376acc12a1b143a2e4c41fc80c54096f2
├── ✔ Packages [1 packages]
└── ✔ Executables [0 executables]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 10 medium, 1 low, 0 negligible
└── by status: 11 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nova 22.2.2 2013.2.4 python GHSA-xjmj-p278-4jp5 Medium
nova 22.2.2 2014.1.4 python GHSA-x8xr-rm9r-7mvf Medium
nova 22.2.2 22.2.3 python GHSA-vqp6-j452-j6wp Medium
nova 22.2.2 2014.2.4 python GHSA-mfmj-gwg3-vhw7 Medium
nova 22.2.2 2013.2 python GHSA-j6xh-q826-55jw Medium
nova 22.2.2 2014.1.3 python GHSA-92hc-c226-32q7 Medium
nova 22.2.2 24.1.2 python GHSA-7h75-hwxx-qpgc Medium
nova 22.2.2 2014.2.4 python GHSA-67rh-9p29-vrxr Medium
nova 22.2.2 2013.1.3 python GHSA-5mj6-643f-2g85 Medium
nova 22.2.2 2014.1.4 python GHSA-43hc-pwvx-pmfg Medium
nova 22.2.2 23.2.2 python GHSA-v725-c588-h936 Low
Environment:
Output of
grype version:$ grype --version
grype 0.78.0
OS (e.g:
cat /etc/os-releaseor similar):bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: