Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GHSA-j8r2-6x86-q33q (CVE-2023-32681) python3-requests GHSA-5xp3-jfq3-5q8x (CVE-2021-3572) python3-pip #1984

Open
sekveaja opened this issue Jul 10, 2024 · 0 comments
Open

False positive: GHSA-j8r2-6x86-q33q (CVE-2023-32681) python3-requests GHSA-5xp3-jfq3-5q8x (CVE-2021-3572) python3-pip #1984

sekveaja opened this issue Jul 10, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

What happened:
Scan on image that has python3-requests-2.25.1-150300.3.6.1.noarch and python3-pip-20.0.2-150400.20.1.noarch installed.
It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium
pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium

What you expected to happen:

  1. According to SUSE Advisory CVE-2023-32681
    Patch for this CVE is applied from version python3-requests >= 2.24.0-150300.3.3.1

    See with this link: https://www.suse.com/security/cve/CVE-2023-32681.html

    SUSE Linux Enterprise Server 15 SP4
    python3-requests >= 2.24.0-150300.3.3.1

    But package that is installed in the container: python3-requests-2.25.1-150300.3.6.1

  2. According to SUSE Advisory CVE-2021-3572
    Patch for this CVE is applied from version python3-pip >= 20.0.2-150400.15.6

    See with this link: https://www.suse.com/security/cve/CVE-2021-3572.html

    SUSE Linux Enterprise Server 15 SP4
    python3-pip >= 20.0.2-150400.15.6

    But package that is installed in the container: python3-pip-20.0.2-150400.20.1

To resume:

Installed version in the container:
python3-requests-2.25.1-150300.3.6.1.noarch
python3-pip-20.0.2-150400.20.1.noarch

SUSE Linux Enterprise Server 15 SP4 minimal requirement for the those CVE.
python3-requests >= 2.24.0-150300.3.3.1
python3-pip >= 20.0.2-150400.15.6

Conclusion: Installed version meet the minimal requirement patch from SLES 15.4 but Grype generate vulnerabilities.

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.4
RUN zypper in -y --no-recommends python3-pip=20.0.2-150400.20.1
RUN zypper in -y --no-recommends python3-requests=2.25.1-150300.3.6.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.4_pip_request:v1" .

  1. Test with Grype now

$ grype --distro sles:15.4 suse15.4_pip_request:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium
pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium
py 1.10.0 python GHSA-w596-4wvx-j9j6 High
python3 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium
python3-base 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium

Environment:
$ grype --version
grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sekveaja