Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: GHSA-248v-346w-9cwc/(CVE-2024-39689) reported for certifi library in python #2013

Closed
pcreager23 opened this issue Jul 26, 2024 · 2 comments
Closed

False Positive: GHSA-248v-346w-9cwc/(CVE-2024-39689) reported for certifi library in python #2013

pcreager23 opened this issue Jul 26, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@pcreager23
Copy link

pcreager23 commented Jul 26, 2024
edited
Loading

What happened:
We have Python images with certifi version 2024.7.4, but grype is flagging them as vulnerable to CVE-2024-39689 / GHSA-248v-346w-9cwc since the version string does not match "2024.07.04".

Per the GHSA (and CVE) advisories, the fixed versions are ≥ 2024.7.4, but grype is marking this vulnerability as applicable for my image:

"matchDetails":[
 {
   "found":{"versionConstraint":"\u003e=2021.05.30,\u003c2024.07.04 (python)",
   "vulnerabilityID":"GHSA-248v-346w-9cwc"},
   "matcher":"python-matcher",
   "searchedBy":{    
     "language":"python",
	 "namespace":"github:language:python"},
	 "type":"exact-direct-match"}],
	 "vendorMetadata":{},
	 "version":"3.1"}],
	 "dataSource":"https://nvd.nist.gov/vuln/detail/CVE-2024-39689",
	 "id":"CVE-2024-39689",
...

As you can see, the versionConstraint is incorrect.

What you expected to happen:
grype should not report the patched version as vulnerable.

How to reproduce it (as minimally and precisely as possible):
Scan any python image containing certifi version 2024.7.4.

Anything else we need to know?:
The lack of leading zeroes in any of these dated versions is standard practice in Python, per canonical PEP 440, so 2024.7.4 is the correct format, and indeed what the certifi devs are using: Release History
Ref: Version specifiers

We had this same issue occur before: issue 1417
It was supposed to be fixed in #1510.

Environment:

    github.com/anchore/grype v0.55.0
    github.com/anchore/syft v0.65.0
    Supported DB Schema:  5
@pcreager23 pcreager23 added the bug Something isn't working label Jul 26, 2024
@willmurphyscode
Copy link
Contributor

Hi @pcreager23, I think this no longer happens on the current version of grype which is 0.79.3. Here's how I tried:

Make a dockerfile like this:

FROM python:3.12.4-slim-bullseye

RUN pip install certifi==2024.7.4

Run docker build -t grype2014 .. Then scan with grype to prove we don't have the vulnerability:

grype -q grype2014 | grep -e NAME -e certifi
NAME                INSTALLED                FIXED-IN     TYPE  VULNERABILITY     SEVERITY

Scan with syft just to make sure we're really finding the package:

syft -q grype2014 | grep -e NAME -e certifi
NAME                    VERSION                       TYPE
ca-certificates         20210119                      deb
certifi                 2024.7.4                      python

If you still experience this issue with the latest version of grype, please let us know. Thanks!

@willmurphyscode willmurphyscode closed this as not planned Won't fix, can't repro, duplicate, stale Jul 31, 2024
@pcreager23
Copy link
Author

Hi @pcreager23, I think this no longer happens on the current version of grype which is 0.79.3. Here's how I tried:

Thanks, I will encourage our scanning team to upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willmurphyscode @pcreager23