Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: GHSA-jfmj-5v4g-7637 (CVE-2024-5569) python3-zipp due to Syft noise and mismatch of package name #2061

Open
sekveaja opened this issue Aug 15, 2024 · 1 comment
Open

False Positive: GHSA-jfmj-5v4g-7637 (CVE-2024-5569) python3-zipp due to Syft noise and mismatch of package name #2061

sekveaja opened this issue Aug 15, 2024 · 1 comment
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

sekveaja commented Aug 15, 2024
edited
Loading

What happened:

Scan on image that has python3-zipp-0.6.0-150100.3.5.1.noarch installed.
It generates vulnerabilities:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
zipp 0.6.0 3.19.1 python GHSA-jfmj-5v4g-7637 Medium

What you expected to happen:

There are 2 possibilities of error detection:

  1. Issue from Syft noise
    The installed package in the container is: python3-zipp-0.6.0-150100.3.5.1.noarch
    When run Syft, we can see there are 2 outputs related to *zipp, e.g.

python3-zipp 0.6.0-150100.3.5.1 rpm
zipp 0.6.0 python

The extra zipp 0.6.0 output by Syft may contribute to trigger vulnerability detection.
And, it is not the package installed in the container.

  1. Mismatch package

According SUSE Advisory:
https://www.suse.com/security/cve/CVE-2024-5569.html

This package python311-zipp has CVE-2024-5569 fixed from version 3.15.0-150400.10.10.1

And python3-zipp has no impact on the CVE-2024-5569.

They are 2 different packages: python311 3.xx.yy-nnn ( this package in not used in the container)
python3-zip 0.6.0-xx.yy.zz-nnn (This is the one install in the container)

Probably Grype see version 0.6.0 is lower than 3.xx.yy, then issue vulnerability detection.

You can reproduce step by step, with below instruction.

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-zipp=0.6.0-150100.3.5.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-zipp:v1" .

  1. Verify package in the container

$ docker run -it suse15.5_python3-zipp:v1 bash

rpm -qa | grep zipp

python3-zipp-0.6.0-150100.3.5.1.noarch

  1. Run Syft
    $ syft suse15.5_python3-zipp:v1 | grep zipp

python3-zipp 0.6.0-150100.3.5.1 rpm
zipp 0.6.0 python

  1. Test with Grype

$ grype --distro sles:15.5 suse15.5_python3-zipp:v1 | grep zipp

zipp 0.6.0 3.19.1 python GHSA-jfmj-5v4g-7637 Medium

Environment:

$ grype --version
grype 0.79.4

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Aug 15, 2024
@willmurphyscode
Copy link
Contributor

Hi @sekveaja - thanks for the detailed report! This and several other SLES false positives will be fixed by anchore/vunnel#626

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willmurphyscode @sekveaja