You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per SUSE Advisory, there is no CVE-2023-42282 found.
Therefore, the CVE is not apply for SUSE ecosystem.
Grype should not report this vulnerability.
It seems that vulnerability is solely based on NVD CPE regardless argument "--distro sles:15.5" is provided to Grype.
How to reproduce it (as minimally and precisely as possible):
Build a test SUSE image and install with this package npm18-18.18.2-150400.9.15.1.x86_64
Anything else we need to know?:
Environment:
Output of grype version: grype 0.74.7
OS (e.g: cat /etc/os-release or similar):
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
The text was updated successfully, but these errors were encountered:
The GHSA match is based on Grype finding the NPM package ip, and comparing that against published GitHub security advisories, and finding GHSA-78xj-cgh5-2h22.
If SUSE hasn't published anything about this CVE, should Grype still assume that it is fixed?
Therefore, the CVE is not apply for SUSE ecosystem.
I'm not sure we can make that assumption. SUSE has bundled the NPM package ip, and has bundled a version that appears to be vulnerable based on its version number. Unless we know the SUSE package has a fix or derives from a version that isn't vulnerable, it seems much safer to assume the package is vulnerable than to assume it isn't.
What happened:
Scan on custom image and get this vulnerability reported:
ip 2.0.0 2.0.1 npm GHSA-78xj-cgh5-2h22 Medium
Issue: "GHSA-78xj-cgh5-2h22" ------> "CVE-2023-42282"
:
"locations": [
{
"path": "/usr/lib64/node_modules/npm18/node_modules/ip/package.json",
"layerID": "sha256:8cbcaaf005a84d63ae8755f21c3504fd224b9fcc1fa6ea021b30938e6065f3a9"
}
What you expected to happen:
As per SUSE Advisory, there is no CVE-2023-42282 found.
Therefore, the CVE is not apply for SUSE ecosystem.
Grype should not report this vulnerability.
It seems that vulnerability is solely based on NVD CPE regardless argument "--distro sles:15.5" is provided to Grype.
How to reproduce it (as minimally and precisely as possible):
Build a test SUSE image and install with this package npm18-18.18.2-150400.9.15.1.x86_64
Anything else we need to know?:
Environment:
grype version
: grype 0.74.7cat /etc/os-release
or similar):NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
The text was updated successfully, but these errors were encountered: