Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positive: GHSA-j225-cvw7-qrx7 (CVE-2023-52323) python3-pycryptodome #2068

Open
sekveaja opened this issue Aug 19, 2024 · 0 comments
Open
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

sekveaja commented Aug 19, 2024

What happened:
Scan on image that has python3-pycryptodome-3.9.0-150200.9.1.x86_64 installed.
It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pycryptodome 3.9.0 3.19.1 python GHSA-j225-cvw7-qrx7 Medium

What you expected to happen:

According to SUSE Advisory CVE-2023-52323
Patch for this CVE is applied from version python3-pycryptodome-3.9.0-150200.9.1.x86_64

See with this link: https://www.suse.com/security/cve/CVE-2023-52323.html

SUSE Linux Enterprise Module for Basesystem 15 SP5
python3-pycryptodome >= 3.9.0-150200.9.1
Patchnames:
SUSE-SLE-Module-Basesystem-15-SP5-2024-601

Installed version in the container: python3-pycryptodome-3.9.0-150200.9.1.x86_64

rpm -qf /usr/lib64/python3.6/site-packages/pycryptodome-3.9.0-py3.6.egg-info/PKG-INFO

python3-pycryptodome-3.9.0-150200.9.1.x86_64

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-pycryptodome=3.9.0-150200.9.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-pycryptodome:v1" .

  1. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-pycryptodome:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pycryptodome 3.9.0 3.19.1 python GHSA-j225-cvw7-qrx7 Medium

  1. syft suse15.5_python3-pycryptodome:v1 | grep pycrypto

pycryptodome 3.9.0 python
python3-pycryptodome 3.9.0-150200.9.1 rpm

Note: Problem could come from Syft output pycryptodome version 3.9.0, there is no such package in the container.
There is only python3-pycrytodome package in the container.

Environment:

$ grype --version
grype 0.79.4

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"

@sekveaja sekveaja added the bug Something isn't working label Aug 19, 2024
@willmurphyscode willmurphyscode moved this to Backlog in OSS Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working false-positive
Projects
Status: Backlog
Development

No branches or pull requests

2 participants