You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SUSE Linux Enterprise Server 15 SP5
python3-wheel >= 0.32.3-150100.6.5.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-wheel-0.32.3-150100.6.5.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-wheel-0.32.3-150100.6.5.1
Installed version in the container: python3-wheel-0.32.3-150100.6.5.1.noarch
Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-wheel=0.32.3-150100.6.5.1.noarch
ENTRYPOINT [""]
CMD ["bash"]
What happened:
Scan on image that has python3-wheel-0.32.3-150100.6.5.1.noarch installed.
It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
wheel 0.32.3 0.38.1 python GHSA-qwmp-2cf2-g9g6 High
JSON format:
"vulnerability": {
"id": "GHSA-qwmp-2cf2-g9g6",
"dataSource": "GHSA-qwmp-2cf2-g9g6",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-qwmp-2cf2-g9g6"
],
"description": "pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)",
:
"relatedVulnerabilities": [
{
"id": "CVE-2022-40898",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40898",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18",
:
:
"artifact": {
"id": "a4bbcf2fc6c27a8d",
"name": "wheel",
"version": "0.32.3",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/wheel-0.32.3-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
What you expected to happen:
According to SUSE Advisory CVE-2022-40898
Patch for this CVE is applied from version python3-wheel >= 0.32.3-150100.6.5.1
See with this link: https://www.suse.com/security/cve/CVE-2022-40898.html
SUSE Linux Enterprise Server 15 SP5
python3-wheel >= 0.32.3-150100.6.5.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-wheel-0.32.3-150100.6.5.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-wheel-0.32.3-150100.6.5.1
rpm -qf /usr/lib/python3.6/site-packages/wheel-0.32.3-py3.6.egg-info/PKG-INFO
python3-wheel-0.32.3-150100.6.5.1.noarch
Installed version in the container: python3-wheel-0.32.3-150100.6.5.1.noarch
Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-wheel=0.32.3-150100.6.5.1.noarch
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.5_python3-wheel:v1" .
$ grype --distro sles:15.5 suse15.5_python3-wheel:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
wheel 0.32.3 0.38.1 python GHSA-qwmp-2cf2-g9g6 High
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: