AWS Inspector reports HIgh vulnerbility in examples/pipenv.lock

[kuzin2006]

Be sure to check the existing issues (both open and closed!), and make sure you are running the latest version of Pipenv.

Check the diagnose documentation for common issues before posting! We may close your issue if it is very similar to one of them. Please be considerate, or be on your way.

Make sure to mention your debugging experience if the documented solution failed.

Issue description

AWS Inspector run returns High severity finding on builds with pipenv for examples/pipenv.lock. The file's example data leads to reporting of high severity vulnerability, breaking our product pipelines.

Expected result

No issues

Actual result

Report fragment:

{
            "SchemaVersion": "2018-10-08",
            "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector",
            "ProductName": "Inspector",
            "CompanyName": "Amazon",
            "Region": "us-east-1",
            "GeneratorId": "AWSInspector",
            "Types": [
                "Software and Configuration Checks/Vulnerabilities/CVE"
            ],
            "FirstObservedAt": "2025-01-28T15:27:08.842Z",
            "LastObservedAt": "2025-02-04T08:12:52.044Z",
            "CreatedAt": "2025-01-28T15:27:08.842Z",
            "UpdatedAt": "2025-02-04T08:12:52.044Z",
            "Severity": {
                "Label": "HIGH",
                "Normalized": 70
            },
            "Title": "CVE-2024-3651 - idna",
            "Description": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.",
            "Remediation": {
                "Recommendation": {
                    "Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON."
                }
            },
            "ProductFields": {
                "aws/inspector/ProductVersion": "2",
                "aws/inspector/FindingStatus": "ACTIVE",
                "aws/inspector/inspectorScore": "7.5",
                "aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "DEBIAN_12",
                "aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:2afed5f3dce86d2b6d5c99c72109e30528fe90b39fcad341d3b9a9232b5089bb",
                "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/arn:aws:inspector2:us-east-1:588145730505:finding/8ebe3faa369f1f162815e6f6ef46ebc9",
                "aws/securityhub/ProductName": "Inspector",
                "aws/securityhub/CompanyName": "Amazon"
            },
            "Resources": [
                {
                    "Type": "AwsEcrContainerImage",
                    "Partition": "aws",
                    "Region": "us-east-1",
                    
            ],
            "WorkflowState": "NEW",
            "Workflow": {
                "Status": "NEW"
            },
            "RecordState": "ACTIVE",
            "Vulnerabilities": [
                {
                    "Id": "CVE-2024-3651",
                    "VulnerablePackages": [
                        {
                            "Name": "idna",
                            "Version": "3.4",
                            "Epoch": "0",
                            "PackageManager": "PYTHON",
                            "FilePath": "usr/local/lib/python3.11/site-packages/examples/Pipfile.lock",
                            "FixedInVersion": "3.7",
                            "SourceLayerHash": "sha256:2afed5f3dce86d2b6d5c99c72109e30528fe90b39fcad341d3b9a9232b5089bb"
                        }
                    ],
                    "Cvss": [
                        {
                            "Version": "3.1",
                            "BaseScore": 7.5,
                            "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                            "Source": "NVD"
                        },
                        {
                            "Version": "3.1",
                            "BaseScore": 7.5,
                            "BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                            "Source": "NVD"
                        }
                    ],
                    "Vendor": {
                        "Name": "NVD",
                        "Url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
                        "VendorSeverity": "HIGH",
                        "VendorCreatedAt": "2024-07-07T18:15:09.000Z",
                        "VendorUpdatedAt": "2024-11-21T09:30:05.000Z"
                    },
                    "ReferenceUrls": [
                        "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"
                    ],
                    "FixAvailable": "YES",
                    "EpssScore": 0.00046,
                    "ExploitAvailable": "NO"
                }
            ],
            "FindingProviderFields": {
                "Severity": {
                    "Label": "HIGH"
                },
                "Types": [
                    "Software and Configuration Checks/Vulnerabilities/CVE"
                ]
            },
            "ProcessedAt": "2025-02-04T08:13:04.254Z"
        }

Steps to replicate

The mentioned above is a result of automated job run.