Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: CVE-2022-3734 is not affected in SUSE eco-system, only Windows #1705

Open
sekveaja opened this issue Feb 7, 2024 · 2 comments
Open

False Positive: CVE-2022-3734 is not affected in SUSE eco-system, only Windows #1705

sekveaja opened this issue Feb 7, 2024 · 2 comments
Assignees
@joshbressers
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

sekveaja commented Feb 7, 2024
edited

What happened:

Run grype on container that contains redis-server binary.
And reported as critical issue with CVE-2022-3734

What you expected to happen:

According to NVD advisory, this issue is related to Windows environment.
In our case, we are using SUSE Enterprise 15 SP5 ( SLES 15.5) and according to SUSE Advisory there is none issue reported for CVE-2022-3734.
Therefore, it is a false positive.

How to reproduce it (as minimally and precisely as possible):

$ syft redis-server
✔ Indexed file system <some_path>
✔ Cataloged packages [1 packages]
NAME VERSION TYPE
redis 6.2.13 binary

Verify the file vulnerabiltiy with Grype

$ grype ./redis-server
✔ Vulnerability DB [updated]
✔ Indexed file system
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 2 critical, 0 high, 0 medium, 2 low, 0 negligible
└── by status: 0 fixed, 4 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
redis 6.2.13 binary CVE-2022-3734 Critical
redis 6.2.13 binary CVE-2022-0543 Critical
redis 6.2.13 binary CVE-2023-45145 Low
redis 6.2.13 binary CVE-2022-3647 Low

with --distro

$ grype --distro sles:15.5 ./redis-server
✔ Vulnerability DB [no update available]
✔ Indexed file system
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 1 critical, 0 high, 0 medium, 2 low, 0 negligible
└── by status: 0 fixed, 3 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
redis 6.2.13 binary CVE-2022-3734 Critical
redis 6.2.13 binary CVE-2023-45145 Low
redis 6.2.13 binary CVE-2022-3647 Low

Anything else we need to know?:

Environment:

  • Output of grype version: 0.74.3
  • OS (e.g: cat /etc/os-release or similar): SUSE 15 SP5
@sekveaja sekveaja added the bug Something isn't working label Feb 7, 2024
@tgerla
Copy link
Contributor

tgerla commented Feb 15, 2024

Hi @sekveaja, thanks for the report. We looked into this and since the configuration section of the NVD record doesn't indicate that this is only on Windows, Grype will report the match in any case. Sometimes we are able to submit corrections to the NVD to fix this record, so we will do that and let you know how it goes. Thanks again!

@tgerla tgerla self-assigned this Feb 15, 2024
@sekveaja
Copy link
Author

Hi @tgerla, you are welcome.
I verify Red Hat vulnerability advisory, no issue reported with CVE-2022-3734 for this OS distribution.
Combined with SUSE, there are now 2 majors OS distributors with no issue link to CVE-2022-3734.

NVD Configuration does not mention "Windows only", but NVD Description does.
I hope, you can convince NVD to have look and change there configuration information.
Thank you.

@tgerla tgerla assigned joshbressers and unassigned tgerla and joshbressers Feb 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joshbressers joshbressers

Labels
bug Something isn't working false-positive
Projects
OSS
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tgerla @wagoodman @joshbressers @sekveaja