Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive: GHSA-6vqw-3v5j-54x4_CVE-2024-26130 python311-cryptography with SLES 15.5 and SLES 15.6 due to noise from Syft #2342

Open
sekveaja opened this issue Dec 18, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

What happened:

Scan on image that has python311-cryptography-41.0.3-150400.16.19.1.x86_64 installed.
It generates the following vulnerabilities:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High --> CVE-2024-26130
cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium
cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low

What you expected to happen:

According to SUSE Vulnerability Adviser, the vulnerability has been backported with this version:

SUSE Linux Enterprise Server 15 SP5

python311-cryptography >= 41.0.3-150400.16.15.1

SUSE Linux Enterprise Server 15 SP6

python311-cryptography >= 41.0.3-150600.23.3.1

Above example, the image is installed with python311-cryptography-41.0.3-150400.16.19.1.x86_64, which meet SLES 15.5 requirement.

The problem may come from Syft output as it is generated double entry see below as noise.

Since Syft ouput is input for Grype, it may determine that version 41.0.3 is not patched to the right level, hence, issue a vulnerability.

cryptography 41.0.3 python <-- Noise
python311-cryptography 41.0.3-150400.16.19.1 rpm

Can you filter input in Grype, not to have double entry?
Please provide input if you see otherwise.

NOTE: It is observed that Python package, get often 2 output from Syft with type python and type rpm.

How to reproduce it (as minimally and precisely as possible):

 =============== SLES 15.5 ======================
  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python311-cryptography=41.0.3-150400.16.19.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_python311-cryptography:v1" .

  1. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python311-cryptography:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High (Issue reproduced)
cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium
cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low

  1. Test with Syft

$ syft suse15.5_python311-cryptography:v1 | grep cryptography
cryptography 41.0.3 python (Noise reproduced)
python311-cryptography 41.0.3-150400.16.19.1 rpm

=====================================================================

      =============== SLES 15.6 ======================
  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends python311-cryptography=41.0.3-150600.23.3.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.6_python311-cryptography:v1" .

  1. Test with Grype now

$ grype --distro sles:15.6 suse15.6_python311-cryptography:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High (Issue reproduced)
cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium
cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low

  1. Test with Syft

$ syft suse15.6_python311-cryptography:v1 | grep cryptography
cryptography 41.0.3 python (Noise reproduced)
python311-cryptography 41.0.3-150600.23.3.1 rpm

Environment:

  • Output of grype version: 0.83.0
  • OS (e.g: cat /etc/os-release or similar): SLES 15.5 or SLES 15.6 problem is the same.

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

@sekveaja sekveaja added the bug Something isn't working label Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: No status
Development

No branches or pull requests

1 participant