False positive: GHSA-qwmp-2cf2-g9g6 (CVE-2022-40898) python3-wheel SLES 15.5 Ecosystem create by Syft noise #1924
Labels
Comments
sekveaja
changed the title
|
@wagoodman, Syft is outputting 2 entries as followed: The wheel 0.23.3 entry will generate false positive for Grype as this version is not the recommended one. Probably, it is good to filter double entries when feeding to Grype. Have a great investigation! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on image that has python3-wheel-0.32.3-150100.6.5.1.noarch installed.
It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
wheel 0.32.3 0.38.1 python GHSA-qwmp-2cf2-g9g6 High
JSON format:
"vulnerability": {
"id": "GHSA-qwmp-2cf2-g9g6",
"dataSource": "GHSA-qwmp-2cf2-g9g6",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-qwmp-2cf2-g9g6"
],
"description": "pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)",
:
"relatedVulnerabilities": [
{
"id": "CVE-2022-40898",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40898",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18",
:
:
"artifact": {
"id": "a4bbcf2fc6c27a8d",
"name": "wheel",
"version": "0.32.3",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/wheel-0.32.3-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
What you expected to happen:
According to SUSE Advisory CVE-2022-40898
Patch for this CVE is applied from version python3-wheel >= 0.32.3-150100.6.5.1
See with this link: https://www.suse.com/security/cve/CVE-2022-40898.html
SUSE Linux Enterprise Server 15 SP5
python3-wheel >= 0.32.3-150100.6.5.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-wheel-0.32.3-150100.6.5.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-wheel-0.32.3-150100.6.5.1
rpm -qf /usr/lib/python3.6/site-packages/wheel-0.32.3-py3.6.egg-info/PKG-INFO
python3-wheel-0.32.3-150100.6.5.1.noarch
Installed version in the container: python3-wheel-0.32.3-150100.6.5.1.noarch
Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-wheel=0.32.3-150100.6.5.1.noarch
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.5_python3-wheel:v1" .
$ grype --distro sles:15.5 suse15.5_python3-wheel:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
wheel 0.32.3 0.38.1 python GHSA-qwmp-2cf2-g9g6 High
$ syft suse15.5_python3-wheel:v1 | grep wheel
python3-wheel 0.32.3-150100.6.5.1 rpm
wheel 0.32.3 python (The problem is here)
Observation:
The problem comes from Syft, where it generates a second entry wheel.
The actual rpm that install in the container is python3-wheel, not wheel.
This second entry of wheel version 0.32.3, does not complied to the recommended version.
Python package seems to have double entry from Syft output, hence create false positive when running Grype.
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: