False Positive: GHSA-5mj6-643f-2g85 (CVE-2013-2256),.... python3-nova Openstack #1978
Comments
sekveaja
changed the title
|
Blocked on anchore/vunnel#626 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on image that has python3-nova-22.2.2.dev15-1000.R11A02.noarch installed
It generates vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nova 22.2.2.dev15 2013.2.4 python GHSA-xjmj-p278-4jp5 Medium
nova 22.2.2.dev15 2014.1.4 python GHSA-x8xr-rm9r-7mvf Medium
nova 22.2.2.dev15 22.2.3 python GHSA-vqp6-j452-j6wp Medium
nova 22.2.2.dev15 2014.2.4 python GHSA-mfmj-gwg3-vhw7 Medium
nova 22.2.2.dev15 2013.2 python GHSA-j6xh-q826-55jw Medium
nova 22.2.2.dev15 2014.1.3 python GHSA-92hc-c226-32q7 Medium
nova 22.2.2.dev15 24.1.2 python GHSA-7h75-hwxx-qpgc Medium
nova 22.2.2.dev15 2014.2.4 python GHSA-67rh-9p29-vrxr Medium
nova 22.2.2.dev15 2013.1.3 python GHSA-5mj6-643f-2g85 Medium
nova 22.2.2.dev15 2014.1.4 python GHSA-43hc-pwvx-pmfg Medium
nova 22.2.2.dev15 23.2.2 python GHSA-v725-c588-h936 Low
What you expected to happen:
According to this link for Openstack:
https://releases.openstack.org/teams/nova.html
There is a change in version convention from Liberty release until to today.
Old Serie:
Kilo release series is
2015.1.4
2015.1.3
2015.1.2
2015.1.1
2015.1.0
New version convention:
From Liberty release series to today
12.0.6
12.0.5
12.0.4
:
The release that is reported for this issue is Victoria version 22.2.2.:
( 9 release more recent than Liberty series)
22.4.0
22.3.0
22.2.2 <---
22.2.1
:
Conclusion:
Due to the change of version from Liberty release series, the tool is not really taking account of the change.
If it takes only reference from from NVD or GitHub, I believe it is wrong in this case.
How to reproduce it (as minimally and precisely as possible):
It is not possible to find this package python3-nova-22.2.2.dev15-1000.R11A02.noarch
But there is a way to reproduce easily:
Get nova-22.2.2.tar.gz file from Openstack
wget https://tarballs.openstack.org/nova/nova-22.2.2.tar.gz
Run Grype
$ grype nova-22.2.2.tar.gz
✔ Vulnerability DB [no update available]
✔ Indexed file system /tmp/syft-archive-contents-854829737
✔ Cataloged contents d3310365e593a66ba9c3161afd83441376acc12a1b143a2e4c41fc80c54096f2
├── ✔ Packages [1 packages]
└── ✔ Executables [0 executables]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 10 medium, 1 low, 0 negligible
└── by status: 11 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nova 22.2.2 2013.2.4 python GHSA-xjmj-p278-4jp5 Medium
nova 22.2.2 2014.1.4 python GHSA-x8xr-rm9r-7mvf Medium
nova 22.2.2 22.2.3 python GHSA-vqp6-j452-j6wp Medium
nova 22.2.2 2014.2.4 python GHSA-mfmj-gwg3-vhw7 Medium
nova 22.2.2 2013.2 python GHSA-j6xh-q826-55jw Medium
nova 22.2.2 2014.1.3 python GHSA-92hc-c226-32q7 Medium
nova 22.2.2 24.1.2 python GHSA-7h75-hwxx-qpgc Medium
nova 22.2.2 2014.2.4 python GHSA-67rh-9p29-vrxr Medium
nova 22.2.2 2013.1.3 python GHSA-5mj6-643f-2g85 Medium
nova 22.2.2 2014.1.4 python GHSA-43hc-pwvx-pmfg Medium
nova 22.2.2 23.2.2 python GHSA-v725-c588-h936 Low
Environment:
Output of
grype version:$ grype --version
grype 0.78.0
OS (e.g:
cat /etc/os-releaseor similar):bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: