Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GHSA-w3h3-4rj7-4ph4 (CVE-2024-1135) python311-gunicorn in SLES 15 SP6 Eco-system. #2428

Open
sekveaja opened this issue Feb 5, 2025 · 0 comments
Open

False positive: GHSA-w3h3-4rj7-4ph4 (CVE-2024-1135) python311-gunicorn in SLES 15 SP6 Eco-system. #2428

sekveaja opened this issue Feb 5, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

sekveaja commented Feb 5, 2025

What happened:

Scan on image that has python311-gunicorn-20.1.0-150400.12.6.1.noarch installed.
It generates high vulnerability:

$ grype --distro <custom_image:version> | grep gunicorn

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
gunicorn 20.1.0 2.0.0 python GHSA-w3h3-4rj7-4ph4 High

What you expected to happen:

According to SUSE Advisory CVE-2024-1135
Patch for this CVE is applied from version python311-gunicorn >= 20.1.0-150400.12.6.1

See with this link: https://www.suse.com/security/cve/CVE-2024-1135.html

SUSE Linux Enterprise Server 15 SP5 and SLES 15 SP6
python311-gunicorn >= 20.1.0-150400.12.6.1
Patchnames:
SUSE-SLE-Module-Python3-15-SP5-2024-1440
SUSE Linux Enterprise Module for Python 3 15 SP6 GA python311-gunicorn-20.1.0-150400.12.6.1

We are using the right version that comply with SUSE recommendation.
Therefore, this CVE is a FP as Grype does not recognize the patch from SUSE.
This is due to syft output where every python package, Syft generates 2 entries.
First, is the base version and second is the backport from the OS provider.

This is Syft output:
gunicorn 20.1.0 python
python311-gunicorn 20.1.0-150400.12.6.1 rpm

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.6

ADD https://rpmfind.net/linux/opensuse/distribution/leap/15.6/repo/oss/noarch/python311-gunicorn-20.1.0-150400.12.6.1.noarch.rpm /tmp
RUN rpm -ivh --nodeps /tmp/python311-gunicorn-20.1.0-150400.12.6.1.noarch.rpm

ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.6_python311-gunicorn:v1" .

  1. Verify package in the container

$ docker run -it suse15.6_python311-gunicorn:v1 bash

rpm -qa | grep gunicorn

python311-gunicorn-20.1.0-150400.12.6.1.noarch

  1. Run Syft

$ syft suse15.6_python311-gunicorn:v1 | grep gunicorn
gunicorn 20.1.0 python
python311-gunicorn 20.1.0-150400.1 rpm

  1. Test with Grype

$ grype suse15.6_python311-gunicorn:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
gunicorn 20.1.0 22.0.0 python GHSA-w3h3-4rj7-4ph4 High

Environment:
$ grype --version
grype 0.86.1

In container image eco-system:

NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sekveaja