We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What happened:
Scan on image that has python311-cryptography-41.0.3-150400.16.19.1.x86_64 installed. It generates the following vulnerabilities:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High --> CVE-2024-26130 cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low
What you expected to happen:
According to SUSE Vulnerability Adviser, the vulnerability has been backported with this version:
python311-cryptography >= 41.0.3-150400.16.15.1
python311-cryptography >= 41.0.3-150600.23.3.1
Above example, the image is installed with python311-cryptography-41.0.3-150400.16.19.1.x86_64, which meet SLES 15.5 requirement.
The problem may come from Syft output as it is generated double entry see below as noise.
Since Syft ouput is input for Grype, it may determine that version 41.0.3 is not patched to the right level, hence, issue a vulnerability.
cryptography 41.0.3 python <-- Noise python311-cryptography 41.0.3-150400.16.19.1 rpm
Can you filter input in Grype, not to have double entry? Please provide input if you see otherwise.
NOTE: It is observed that Python package, get often 2 output from Syft with type python and type rpm.
How to reproduce it (as minimally and precisely as possible):
=============== SLES 15.5 ======================
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python311-cryptography=41.0.3-150400.16.19.1 ENTRYPOINT [""] CMD ["bash"]
$ docker build -t "suse15.5_python311-cryptography:v1" .
$ grype --distro sles:15.5 suse15.5_python311-cryptography:v1 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High (Issue reproduced) cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low
$ syft suse15.5_python311-cryptography:v1 | grep cryptography cryptography 41.0.3 python (Noise reproduced) python311-cryptography 41.0.3-150400.16.19.1 rpm
=====================================================================
=============== SLES 15.6 ======================
FROM registry.suse.com/suse/sle15:15.6 RUN zypper in -y --no-recommends python311-cryptography=41.0.3-150600.23.3.1 ENTRYPOINT [""] CMD ["bash"]
$ docker build -t "suse15.6_python311-cryptography:v1" .
$ grype --distro sles:15.6 suse15.6_python311-cryptography:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High (Issue reproduced) cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low
$ syft suse15.6_python311-cryptography:v1 | grep cryptography cryptography 41.0.3 python (Noise reproduced) python311-cryptography 41.0.3-150600.23.3.1 rpm
Environment:
grype version
cat /etc/os-release
bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered:
No branches or pull requests
What happened:
Scan on image that has python311-cryptography-41.0.3-150400.16.19.1.x86_64 installed.
It generates the following vulnerabilities:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High --> CVE-2024-26130
cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium
cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low
What you expected to happen:
According to SUSE Vulnerability Adviser, the vulnerability has been backported with this version:
SUSE Linux Enterprise Server 15 SP5
python311-cryptography >= 41.0.3-150400.16.15.1
SUSE Linux Enterprise Server 15 SP6
python311-cryptography >= 41.0.3-150600.23.3.1
Above example, the image is installed with python311-cryptography-41.0.3-150400.16.19.1.x86_64, which meet SLES 15.5 requirement.
The problem may come from Syft output as it is generated double entry see below as noise.
Since Syft ouput is input for Grype, it may determine that version 41.0.3 is not patched to the right level, hence, issue a vulnerability.
cryptography 41.0.3 python <-- Noise
python311-cryptography 41.0.3-150400.16.19.1 rpm
Can you filter input in Grype, not to have double entry?
Please provide input if you see otherwise.
NOTE: It is observed that Python package, get often 2 output from Syft with type python and type rpm.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python311-cryptography=41.0.3-150400.16.19.1
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.5_python311-cryptography:v1" .
$ grype --distro sles:15.5 suse15.5_python311-cryptography:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High (Issue reproduced)
cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium
cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low
$ syft suse15.5_python311-cryptography:v1 | grep cryptography
cryptography 41.0.3 python (Noise reproduced)
python311-cryptography 41.0.3-150400.16.19.1 rpm
=====================================================================
FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends python311-cryptography=41.0.3-150600.23.3.1
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.6_python311-cryptography:v1" .
$ grype --distro sles:15.6 suse15.6_python311-cryptography:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 41.0.3 42.0.4 python GHSA-6vqw-3v5j-54x4 High (Issue reproduced)
cryptography 41.0.3 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 41.0.3 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 41.0.3 43.0.1 python GHSA-h4gh-qq45-vh27 Medium
cryptography 41.0.3 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 41.0.3 41.0.4 python GHSA-v8gr-m533-ghj9 Low
$ syft suse15.6_python311-cryptography:v1 | grep cryptography
cryptography 41.0.3 python (Noise reproduced)
python311-cryptography 41.0.3-150600.23.3.1 rpm
Environment:
grype version
: 0.83.0cat /etc/os-release
or similar): SLES 15.5 or SLES 15.6 problem is the same.bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: