Confusion between python3-Werkzeug and python311-Werkzeug GHSA-q34m-jh98-gwm2 (CVE-2024-49767) SUSE 15 SP6 and SP5

[sekveaja]

What happened:

Scan on image that has python3-Werkzeug-1.0.1-150300.3.8.1.noarch and python311-Werkzeug-2.3.6-150400.6.12.1 installed.
It generates the following vulnerabilities:

NAME                INSTALLED              FIXED-IN      TYPE       VULNERABILITY        SEVERITY
werkzeug            1.0.1                  3.0.3         python     GHSA-2g68-c3qc-8985  High
werkzeug            1.0.1                  2.2.3         python     GHSA-xg9f-g7g7-2323  High
werkzeug            1.0.1                  3.0.6         python     GHSA-f9vj-2wh5-fj8j  Medium
werkzeug            1.0.1                  2.3.8         python     GHSA-hrfv-mqp8-q5rw  Medium
werkzeug            1.0.1                  3.0.6         python     GHSA-q34m-jh98-gwm2  Medium
werkzeug            1.0.1                  2.2.3         python     GHSA-px8h-6qxv-m22q  Low
werkzeug            2.3.6                  3.0.3         python     GHSA-2g68-c3qc-8985  High
werkzeug            2.3.6                  3.0.6         python     GHSA-f9vj-2wh5-fj8j  Medium
werkzeug            2.3.6                  2.3.8         python     GHSA-hrfv-mqp8-q5rw  Medium
werkzeug            2.3.6                  3.0.6         python     GHSA-q34m-jh98-gwm2  Medium  --> CVE-2024-49767

What you expected to happen:

According to SUSE Advisory CVE-2024-49767
Patch for this CVE is applied from version python311-Werkzeug >= 2.3.6-150400.6.12.1

See with this link: https://www.suse.com/security/cve/CVE-2024-49767.html

SUSE Linux Enterprise Server 15 SP5
python311-Werkzeug >= 2.3.6-150400.6.12.1

SUSE Linux Enterprise Server 15 SP6
python311-Werkzeug >= 2.3.6-150400.6.12.1

When looking into the log file, the artifact points to this PKG-INFO file:

            "artifact": {
                "id": "023d4d1f5df10c48",
                "name": "werkzeug",
                "version": "1.0.1",
                "type": "python",
                "locations": [
                    {
                        "path": "**/usr/lib/python3.6/site-packages/Werkzeug-1.0.1-py3.6.egg-info/PKG-INFO**",

And when looking the rpm that associate to above PKG-INFO, it is from python3-Werkzeug-1.0.1-150300.3.8.1.noarch
CVE-2024-49767 is not related to python3-Werkzeug-1.0.1-150300.3.8.1.noarch.

The CVE is related to python311-Werkzeug.
python3-Werkzeug and python311-Werkzeug are two different packages.

Please take a look, why Grype has confusion between the 2 packages.

There is also false positive, if the tool compare to the right package, the installed python311-Werkzeug-2.3.6-150400.6.12.1
meet the minimum requirement from SUSE OS vendor.

How to reproduce it (as minimally and precisely as possible):

1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.6
RUN   zypper in -y --no-recommends python3-Werkzeug=1.0.1-150300.3.8.1
RUN   zypper in -y --no-recommends python311-Werkzeug=2.3.6-150400.6.12.1

ENTRYPOINT [""]
CMD ["bash"]

2. Build an image from Dockerfile

$ docker build --network=host -t "suse15.6_python-werkzeug:v1" .

3. Test with Grype now

$ grype --distro sles:15.6 suse15.6_python-werkzeug:v1

NAME                INSTALLED              FIXED-IN                 TYPE       VULNERABILITY        SEVERITY
werkzeug           1.0.1                  3.0.3                         python     GHSA-2g68-c3qc-8985  High
werkzeug           1.0.1                  2.2.3                         python     GHSA-xg9f-g7g7-2323  High
werkzeug           1.0.1                  3.0.6                         python     GHSA-f9vj-2wh5-fj8j  Medium
werkzeug           1.0.1                  2.3.8                         python     GHSA-hrfv-mqp8-q5rw  Medium
werkzeug           1.0.1                  3.0.6                         python     GHSA-q34m-jh98-gwm2  Medium
werkzeug           1.0.1                  2.2.3                         python     GHSA-px8h-6qxv-m22q  Low
werkzeug           2.3.6                  3.0.3                         python     GHSA-2g68-c3qc-8985  High
werkzeug           2.3.6                  3.0.6                         python     GHSA-f9vj-2wh5-fj8j  Medium
werkzeug           2.3.6                  2.3.8                         python     GHSA-hrfv-mqp8-q5rw  Medium
werkzeug           2.3.6                  3.0.6                         python     GHSA-q34m-jh98-gwm2  Medium    (problem reproduced)

Environment:
$ grype --version
grype 0.88.0

In container image eco-system:

NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"

[wagoodman]

Today we have a file ownership overlap relationship for these packages:

{
  "parent": "6e5da2281a938478",  (rpm package)
  "child": "9a8ab32564e1d78d",   (python package)
  "type": "ownership-by-file-overlap",
  "metadata": {
    "files": [
      "/usr/lib/python3.11/site-packages/Werkzeug-2.3.6.dist-info/METADATA",
      "/usr/lib/python3.11/site-packages/Werkzeug-2.3.6.dist-info/RECORD",
      "/usr/lib/python3.11/site-packages/Werkzeug-2.3.6.dist-info/top_level.txt"
    ]
  }
}

which we use downstream when deciding to search for vulnerabilities for a package or not. Ultimately we want to update this list to include suse once anchore/vunnel#626 is implemented. Since today we only have partial vulnerability information it would not be safe to stop searching for non-distro packages since we know it would result in false negatives.