Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GHSA-fj7f-vq84-fh43 (CVE-2021-43809) ruby2.5-rubygem-bundler in SLES 15 SP6 and SP5 Ecosystem #2588

Open
sekveaja opened this issue Apr 9, 2025 · 0 comments
Open

False positive: GHSA-fj7f-vq84-fh43 (CVE-2021-43809) ruby2.5-rubygem-bundler in SLES 15 SP6 and SP5 Ecosystem #2588

sekveaja opened this issue Apr 9, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@sekveaja
Copy link

sekveaja commented Apr 9, 2025

What happened:

Scan on image that has ruby2.5-rubygem-bundler-1.16.1-150000.3.6.1.noarch installed.
It generates this vulnerability:

$ grype --distro sles:15.6 <custom_image> | grep bundler

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium --> CVE-2021-43809

What you expected to happen:

According to SUSE Advisory CVE-2021-43809
Patch for this CVE is applied from version ruby2.5-rubygem-bundler >= 1.16.1-150000.3.6.1

See with this link: https://www.suse.com/security/cve/CVE-2021-43809.html
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server 15 SP6
ruby2.5-rubygem-bundler >= 1.16.1-150000.3.6.1

Installed version in the container: ruby2.5-rubygem-bundler-1.16.1-150000.3.6.1.x86_64

Conclusion: SUSE Advisory shown fixed is from version ruby2.5-rubygem-bundler >= 1.16.1-150000.3.6.1
Custom container is using ruby2.5-rubygem-bundler-1.16.1-150000.3.6.1.x86_64
The minimum requirement from SLES 15 SP6 is already met, so it is a false positive.

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.6

RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-150000.3.6.1

ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build --network=host -t "suse15.6_ruby2.5-rubygem-bundler:v1" .

  1. Verify package in the container

$ docker run -it suse15.6_ruby2.5-rubygem-bundler:v1 bash

rpm -qa | grep bundler

ruby2.5-rubygem-bundler-1.16.1-150000.3.6.1.x86_64

  1. Run Syft
    $ syft suse15.6_ruby2.5-rubygem-bundler:v1 | grep bundler

bundler 1.16.1 gem
ruby2.5-rubygem-bundler 1.16.1-150000.3.6.1 rpm

  1. Test with Grype

$ grype --distro sles:15.6 suse15.6_ruby2.5-rubygem-bundler:v1 | grep bundler

bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium (Problem reproduced)

Environment:
$ grype --version
grype 0.90.0

In container image eco-system:

NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Apr 9, 2025
@sekveaja sekveaja changed the title False positive: GHSA-fj7f-vq84-fh43 (CVE-2021-43809) python3-dnspython in SLES 15 SP6 and SP5 Ecosystem False positive: GHSA-fj7f-vq84-fh43 (CVE-2021-43809) ruby2.5-rubygem-bundler in SLES 15 SP6 and SP5 Ecosystem Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sekveaja