False positive: GHSA-j8r2-6x86-q33q (CVE-2023-32681) GHSA-9wx4-h78v-vm56 (CVE-2024-35195) python3-requests GHSA-5xp3-jfq3-5q8x (CVE-2021-3572), GHSA-mq26-g339-26xf ( CVE-2023-5752) python3-pip

[sekveaja]

What happened:
Scan on image that has python3-requests-2.25.1-150300.3.6.1.noarch and python3-pip-20.0.2-150400.20.1.noarch installed.
It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium
pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium

What you expected to happen:

*** Please read UPDATE INFO **** below

1. According to SUSE Advisory CVE-2023-32681
   Patch for this CVE is applied from version python3-requests >= 2.24.0-150300.3.3.1

   See with this link: https://www.suse.com/security/cve/CVE-2023-32681.html

   SUSE Linux Enterprise Server 15 SP4
   python3-requests >= 2.24.0-150300.3.3.1

   But package that is installed in the container: python3-requests-2.25.1-150300.3.6.1

2. According to SUSE Advisory CVE-2021-3572
   Patch for this CVE is applied from version python3-pip >= 20.0.2-150400.15.6

   See with this link: https://www.suse.com/security/cve/CVE-2021-3572.html

   SUSE Linux Enterprise Server 15 SP4
   python3-pip >= 20.0.2-150400.15.6

   But package that is installed in the container: python3-pip-20.0.2-150400.20.1

To resume:

Installed version in the container:
python3-requests-2.25.1-150300.3.6.1.noarch
python3-pip-20.0.2-150400.20.1.noarch

SUSE Linux Enterprise Server 15 SP4 minimal requirement for the those CVE.
python3-requests >= 2.24.0-150300.3.3.1
python3-pip >= 20.0.2-150400.15.6

Conclusion: Installed version meet the minimal requirement patch from SLES 15.4 but Grype generate vulnerabilities.

** UPDATE INFO **

This issue was raised on SLES 15 SP4, but issue is still seen on SLES 15 SP5 and even with recent release SLES 15 SP6.

The problem has been observed with python package.
Grype seem to validate 2 inputs, one is the base version (2.25.1) and the second base & patches (2.25.1-150300.3.12.2).

SLES 15.6:
requests 2.25.1 python (this package is not in the image)
python3-requests 2.25.1-150300.3.12.2 rpm (this package is installed in the image)

These 2 inputs are used for Grype to scan for vulnerability.
When looking solely requests 2.25.1, it does not meet the recommended version from SUSE, hence, it is vulnerable.
On top of that, it is not even exist in the image.

For some reason, Syft always generate double output when it detects Python package.
It leads to generate vulnerability on one of the output.
Therefore, it is creating at the same time a FP as the installed package in the image has really the patch and recommended version from the OS provider.

It is suggested strongly to look on Syft output, the source of issue for Grype for Python package.

How to reproduce it (as minimally and precisely as possible):

1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.4
RUN zypper in -y --no-recommends python3-pip=20.0.2-150400.20.1
RUN zypper in -y --no-recommends python3-requests=2.25.1-150300.3.6.1
ENTRYPOINT [""]
CMD ["bash"]

2. Build an image from Dockerfile

$ docker build -t "suse15.4_pip_request:v1" .

3. Test with Grype now

$ grype --distro sles:15.4 suse15.4_pip_request:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
pip 20.0.2 23.3 python GHSA-mq26-g339-26xf Medium
pip 20.0.2 21.1 python GHSA-5xp3-jfq3-5q8x Medium
py 1.10.0 python GHSA-w596-4wvx-j9j6 High
python3 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium
python3-base 3.6.15-150300.10.51.1 0:3.6.15-150300.10.57.1 rpm CVE-2022-48566 Medium
requests 2.25.1 2.31.0 python GHSA-j8r2-6x86-q33q Medium
requests 2.25.1 2.32.0 python GHSA-9wx4-h78v-vm56 Medium

Environment:
$ grype --version
grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

[kzantow]

Blocked on: anchore/vunnel#626

[sekveaja]

** UPDATE INFO **

This issue was raised on SLES 15 SP4, but issue is still seen on SLES 15 SP5 and even with recent release SLES 15 SP6.

The problem has been observed with python package.
Grype seem to validate 2 inputs, one is the base version (2.25.1) and the second base & patches (2.25.1-150300.3.12.2).

SLES 15.6:
requests 2.25.1 python (this package is not in the image)
python3-requests 2.25.1-150300.3.12.2 rpm (this package is installed in the image)

These 2 inputs are used for Grype to scan for vulnerability.
When looking solely requests 2.25.1, it does not meet the recommended version from SUSE, hence, it is vulnerable.
On top of that, it is not even exist in the image.

For some reason, Syft always generate double output when it detects Python package.
It leads to generate vulnerability on one of the output.
Therefore, it is creating at the same time a FP as the installed package in the image has really the patch and recommended version from the OS provider.

It is suggested strongly to look on Syft output, the source of issue for Grype on Python package.