Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GHSA-v5h6-c2hv-hv3r (CVE-2024-27280) ruby2.5-stdlib in SLES 15.5 Ecosystem #1965

Open
sekveaja opened this issue Jun 25, 2024 · 1 comment
Open

False positive: GHSA-v5h6-c2hv-hv3r (CVE-2024-27280) ruby2.5-stdlib in SLES 15.5 Ecosystem #1965

sekveaja opened this issue Jun 25, 2024 · 1 comment
Labels
blocked Progress is being stopped by something bug Something isn't working

Comments

@sekveaja
Copy link

What happened:

Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64.noarch installed.
It generates vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
stringio 0.0.1 3.0.1.1 gem GHSA-v5h6-c2hv-hv3r High
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High

JSON format:

"vulnerability": {
"id": "GHSA-v5h6-c2hv-hv3r",
"dataSource": "GHSA-v5h6-c2hv-hv3r",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-v5h6-c2hv-hv3r"
],
"description": "StringIO buffer overread vulnerability",
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2024-27280",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-27280",
"namespace": "nvd:cpe",
"severity": "Unknown",

:
:
"artifact": {
"id": "cd8bdb8fd0bf6563",
"name": "stringio",
"version": "0.0.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/stringio-0.0.1.gemspec",

What you expected to happen:

According to SUSE Advisory on CVE-2024-27280
Ruby and Ruby2.5 is Not affected, therefore, Grype should not generate vulnarability.

See with this link: https://www.suse.com/security/cve/CVE-2024-27280.html

SUSE Linux Enterprise Server 15 SP5 ruby Not affected
SUSE Linux Enterprise Server 15 SP5 ruby2.5 Not affected

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-stdlib=2.5.9-150000.4.29.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_ruby2.5-stdlib:v1" .

  1. Test with Grype now

$ grype --distro sles:15.5 suse15.5_ruby2.5-stdlib:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
stringio 0.0.1 3.0.1.1 gem GHSA-v5h6-c2hv-hv3r High
webrick 1.4.2.1 1.6.1 gem GHSA-gwfg-cqmg-cf8f High

Anything else we need to know?:

Environment:
$ grype --version
grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Jun 25, 2024
@kzantow kzantow added the blocked Progress is being stopped by something label Sep 16, 2024
@kzantow
Copy link
Contributor

kzantow commented Sep 16, 2024

Blocked by anchore/vunnel#626

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked Progress is being stopped by something bug Something isn't working
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kzantow @sekveaja