You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Conclusion: Installed version exceed minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
Therefore, it is a false positive when looking at SUSE eco-system.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-rsa=3.4.2-150000.3.7.1
ENTRYPOINT [""]
CMD ["bash"]
Build an image from Dockerfile
docker build -t "suse15.5_test:v1" .
Test with Grype now
$ grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
Anything else we need to know?:
Environment:
$ grype --version
grype 0.76.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered:
What happened:
Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed.
It generates high vulnerability:
{
"vulnerability": {
"id": "GHSA-gwfg-cqmg-cf8f",
"dataSource": "GHSA-gwfg-cqmg-cf8f",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-gwfg-cqmg-cf8f"
],
"description": "WEBRick vulnerable to HTTP Request/Response Smuggling",
"cvss": [
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2020-25613",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-25613",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7",
"https://hackerone.com/reports/965267",
"https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html",
:
:
"artifact": {
"id": "a88dab384401d5db",
"name": "webrick",
"version": "1.4.2.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/webrick-1.4.2.1.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
What you expected to happen:
Look into SUSE Advisory CVE-2020-25613
SUSE Linux Enterprise Server 15 SP5
libruby2_5-2_5 >= 2.5.8-4.14.1
ruby2.5 >= 2.5.8-4.14.1
ruby2.5-devel >= 2.5.8-4.14.1
ruby2.5-devel-extra >= 2.5.8-4.14.1
ruby2.5-stdlib >= 2.5.8-4.14.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libruby2_5-2_5-2.5.9-150000.4.26.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA ruby2.5-2.5.9-150000.4.26.1
Installed version in the container is
rpm -qa | grep ruby2
libruby2_5-2_5-2.5.9-150000.4.29.1.x86_64
ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64
ruby2.5-rubygem-gem2rpm-0.10.1-3.45.x86_64
ruby2.5-2.5.9-150000.4.29.1.x86_64
ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
Conclusion: Installed version exceed minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
Therefore, it is a false positive when looking at SUSE eco-system.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-rsa=3.4.2-150000.3.7.1
ENTRYPOINT [""]
CMD ["bash"]
docker build -t "suse15.5_test:v1" .
$ grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High
Anything else we need to know?:
Environment:
$ grype --version
grype 0.76.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: