-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive: CVE-2022-3734 is not affected in SUSE eco-system, only Windows #1705
Comments
Hi @sekveaja, thanks for the report. We looked into this and since the configuration section of the NVD record doesn't indicate that this is only on Windows, Grype will report the match in any case. Sometimes we are able to submit corrections to the NVD to fix this record, so we will do that and let you know how it goes. Thanks again! |
Hi @tgerla, you are welcome. NVD Configuration does not mention "Windows only", but NVD Description does. |
What happened:
Run grype on container that contains redis-server binary.
And reported as critical issue with CVE-2022-3734
What you expected to happen:
According to NVD advisory, this issue is related to Windows environment.
In our case, we are using SUSE Enterprise 15 SP5 ( SLES 15.5) and according to SUSE Advisory there is none issue reported for CVE-2022-3734.
Therefore, it is a false positive.
How to reproduce it (as minimally and precisely as possible):
$ syft redis-server
✔ Indexed file system <some_path>
✔ Cataloged packages [1 packages]
NAME VERSION TYPE
redis 6.2.13 binary
Verify the file vulnerabiltiy with Grype
$ grype ./redis-server
✔ Vulnerability DB [updated]
✔ Indexed file system
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 2 critical, 0 high, 0 medium, 2 low, 0 negligible
└── by status: 0 fixed, 4 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
redis 6.2.13 binary CVE-2022-3734 Critical
redis 6.2.13 binary CVE-2022-0543 Critical
redis 6.2.13 binary CVE-2023-45145 Low
redis 6.2.13 binary CVE-2022-3647 Low
with --distro
$ grype --distro sles:15.5 ./redis-server
✔ Vulnerability DB [no update available]
✔ Indexed file system
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 1 critical, 0 high, 0 medium, 2 low, 0 negligible
└── by status: 0 fixed, 3 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
redis 6.2.13 binary CVE-2022-3734 Critical
redis 6.2.13 binary CVE-2023-45145 Low
redis 6.2.13 binary CVE-2022-3647 Low
Anything else we need to know?:
Environment:
grype version
: 0.74.3cat /etc/os-release
or similar): SUSE 15 SP5The text was updated successfully, but these errors were encountered: