False positive: GHSA-3rq5-2g8h-59hc (CVE-2023-29483) python3-dnspython in SLES 15.6 Ecosystem #2578
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on image that has python3-dnspython-1.15.0-150000.3.10.2.noarch installed.
It generates this vulnerability:
$ grype --distro sles:15.6 <custom_image> | grep dnspython
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
dnspython 1.15.0 2.6.1 python GHSA-3rq5-2g8h-59hc Medium
What you expected to happen:
According to SUSE Advisory CVE-2023-29483
Patch for this CVE is applied from version python3-dnspython >= 1.15.0-150000.3.10.2
See with this link: https://www.suse.com/security/cve/CVE-2023-29483.html
SUSE Linux Enterprise Server 15 SP6
python3-dnspython >= 1.15.0-150000.3.10.2
python311-dnspython >= 2.3.0-150400.12.6.1
The minimum requirement from SLES 15 SP6 is already complied, so it is a false positive.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends python3-dnspython=-1.15.0-150000.3.10.2
ENTRYPOINT [""]
CMD ["bash"]
$ docker build --network=host -t "suse15.6_python3-dnspython:v1" .
$ docker run -it suse15.6_python3-dnspython:v1 bash
rpm -qa | grep dnspython
python3-dnspython-1.15.0-150000.3.10.2.noarch
$ syft suse15.6_python3-dnspython:v1 | grep dnspython
dnspython 1.15.0 python
python3-dnspython 1.15.0-150000.3.10.2 rpm
$ grype --distro sles:15.6 suse15.6_python3-dnspython:v1 | grep dnspython
dnspython 1.15.0 2.6.1 python GHSA-3rq5-2g8h-59hc Medium (Problem reproduced)
Environment:
$ grype --version
grype 0.90.0
In container image eco-system:
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: