-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive: CVE-2021-3521 reported against rpm-4.14.3-26.el8.x86_64 on Oracle Linux 8 #1362
Comments
Thanks for the report @navzen2000! This is interesting. https://nvd.nist.gov/vuln/detail/CVE-2021-3521 is against RPM itself, before version 4.17.1. Checking the version of RPM in the oracle linux 8 image:
So it seems like the image does indeed have this vulnerability. However, looking at the report, it looks like CVE-2021-3521 from nvd:cpe (Medium) (Summary created using the still-in-development So I think there are basically two things going on here that should be different:
@navzen2000 is that what you meant by "Grype is not reporting CVEs correctly for OS packages"? |
@willmurphyscode Please let me know if you think likewise. |
@navzen2000 that makes sense. I think what grype is doing here is (1) correctly not reporting CVE-2021-3521 on the evidence of |
Yes, that seems likely |
@willmurphyscode - addressing #1373 would fix this I believe |
I think this may have been addressed by the change the removed CPE matching by default from most ecosystems scanned by grype. Here are the results of doing this scan today: $ grype -q container-registry.oracle.com/os/oraclelinux:8
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
gnutls 3.6.16-8.el8_9.1 10:3.6.16-8.el8_9.1_fips rpm ELSA-2024-12135 Medium
gnutls 3.6.16-8.el8_9.1 10:3.6.16-4.0.1.el8_fips rpm ELSA-2022-9221 Medium
libgcrypt 1.8.5-7.el8_6 10:1.8.5-7.el8_6_fips rpm ELSA-2022-9564 High
libgcrypt 1.8.5-7.el8_6 10:1.8.5-6.el8_fips rpm ELSA-2022-9263 Medium
openssh 8.0p1-19.el8_8 0:8.0p1-19.el8_9.2 rpm ELSA-2024-0606 Medium
openssh-clients 8.0p1-19.el8_8 0:8.0p1-19.el8_9.2 rpm ELSA-2024-0606 Medium
openssh-server 8.0p1-19.el8_8 0:8.0p1-19.el8_9.2 rpm ELSA-2024-0606 Medium
setuptools 39.2.0 65.5.1 python GHSA-r9hx-vwmv-q579 High None of these are reported against the Python package rpm 4.14.3. I'm going to close this issue since I believe we no longer find these false positives, but please let us know if we've missed something. Thanks! |
What happened:
Grype reported a false positive against rpm-4.14.3-26.el8.x86_64 on Oracle Linux 8
rpm 4.14.3 python CVE-2021-20266 Medium
rpm 4.14.3 python CVE-2021-3421 Medium
rpm 4.14.3 python CVE-2021-3521 Medium
rpm 4.14.3 python CVE-2021-35937 Medium
rpm 4.14.3 python CVE-2021-35938 Medium
rpm 4.14.3 python CVE-2021-35939 Medium
What you expected to happen:
https://linux.oracle.com/errata/ELSA-2022-0368.html
How to reproduce it (as minimally and precisely as possible):
grype container-registry.oracle.com/os/oraclelinux:8
Anything else we need to know?:
Grype is not reporting CVEs correctly for OS packages
Environment:
Output of
grype version
:Application: grype
Version: 0.63.0
Syft Version: v0.84.0
BuildDate: 2023-06-21T16:11:07Z
GitCommit: ca79c2a
GitDescription: v0.63.0
Platform: linux/amd64
GoVersion: go1.19.10
Compiler: gc
Supported DB Schema: 5
OS (e.g:
cat /etc/os-release
or similar):NAME="Oracle Linux Server"
VERSION="7.6"
ID="ol"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.6"
PRETTY_NAME="Oracle Linux Server 7.6"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:7:6:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://bugzilla.oracle.com/"
ORACLE_BUGZILLA_PRODUCT="Oracle Linux 7"
ORACLE_BUGZILLA_PRODUCT_VERSION=7.6
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=7.6
The text was updated successfully, but these errors were encountered: