Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GHSA-jphg-qwrw-7w9g (CVE-2020-10663) in SLES 15.5 #1861

Open
sekveaja opened this issue May 13, 2024 · 0 comments
Open

False positive: GHSA-jphg-qwrw-7w9g (CVE-2020-10663) in SLES 15.5 #1861

sekveaja opened this issue May 13, 2024 · 0 comments
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

sekveaja commented May 13, 2024
edited

Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed.
It generates high vulnerability:

"id": "GHSA-jphg-qwrw-7w9g",
"dataSource": "https://github.com/advisories/GHSA-jphg-qwrw-7w9g",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
 "https://github.com/advisories/GHSA-jphg-qwrw-7w9g"
],

:
:
"relatedVulnerabilities": [
{
"id": "CVE-2020-10663",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-10663",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
:
"artifact": {
"id": "145d80db7bf23deb",
"name": "json",
"version": "2.1.0",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/json-2.1.0.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
],

What you expected to happen:

According to SUSE Advisory:

https://www.suse.com/security/cve/CVE-2020-10663.html

SUSE Linux Enterprise Server 15 SP5
libruby2_5-2_5 >= 2.5.8-4.11.1
ruby2.5 >= 2.5.8-4.11.1
ruby2.5-devel >= 2.5.8-4.11.1
ruby2.5-devel-extra >= 2.5.8-4.11.1
ruby2.5-stdlib >= 2.5.8-4.11.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libruby2_5-2_5-2.5.9-150000.4.26.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA ruby2.5-2.5.9-150000.4.26.1

The version that is installed is > 2.5.8-4.11.1

rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/default/json-2.1.0.gemspec

ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64
9bd66b5cfa32:/ #

There should be no vulnerability generate if we follow SUSE requirement and SUSE Advisory.

How to reproduce it (as minimally and precisely as possible):

  1. Create Dockerfile with this information
    FROM registry.suse.com/suse/sle15:15.5
    RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
    ENTRYPOINT [""]
    CMD ["bash"]

  2. Build the image and test
    docker build -t "suse15.5_test:v1" .
    grype suse15.5_test:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY

json 2.1.0 2.3.0 gem GHSA-jphg-qwrw-7w9g High

Anything else we need to know?:

This one is slightly different from
#1807
Here we have json 2.1.0 and easier to reproduce as it is from the OS level.

Environment:

Output of grype version: grype 0.76.0

OS (e.g: cat /etc/os-release or similar):
$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willmurphyscode @sekveaja