False Positive: CVE-2023-42282 not affected in SUSE ecosystem.

[sekveaja]

What happened:
Scan on custom image and get this vulnerability reported:

ip 2.0.0 2.0.1 npm GHSA-78xj-cgh5-2h22 Medium

Issue: "GHSA-78xj-cgh5-2h22" ------> "CVE-2023-42282"
:
"locations": [
{
"path": "/usr/lib64/node_modules/npm18/node_modules/ip/package.json",
"layerID": "sha256:8cbcaaf005a84d63ae8755f21c3504fd224b9fcc1fa6ea021b30938e6065f3a9"
}

What you expected to happen:

As per SUSE Advisory, there is no CVE-2023-42282 found.
Therefore, the CVE is not apply for SUSE ecosystem.
Grype should not report this vulnerability.

It seems that vulnerability is solely based on NVD CPE regardless argument "--distro sles:15.5" is provided to Grype.

How to reproduce it (as minimally and precisely as possible):

Build a test SUSE image and install with this package npm18-18.18.2-150400.9.15.1.x86_64

Anything else we need to know?:

Environment:

• Output of grype version: grype 0.74.7
• OS (e.g: cat /etc/os-release or similar):
  NAME="SLES"
  VERSION="15-SP5"
  VERSION_ID="15.5"
  PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"

[willmurphyscode]

Hi @sekveaja,

The GHSA match is based on Grype finding the NPM package ip, and comparing that against published GitHub security advisories, and finding GHSA-78xj-cgh5-2h22.

If SUSE hasn't published anything about this CVE, should Grype still assume that it is fixed?

Therefore, the CVE is not apply for SUSE ecosystem.

I'm not sure we can make that assumption. SUSE has bundled the NPM package ip, and has bundled a version that appears to be vulnerable based on its version number. Unless we know the SUSE package has a fix or derives from a version that isn't vulnerable, it seems much safer to assume the package is vulnerable than to assume it isn't.

[sekveaja]

Hello,
We update patch from SUSE. This issue is no longer generated.
You may close this ticket.
Thank you.