New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive: Openssl CVE-2022-2068, CVE-2022-1292, CVE-2021-3711 in SUSE Enterprise 15 SP5 #1729
Comments
Hi @sekveaja, Thanks for the report? It sounds like there is some subtlety to producing this artifact correctly to exhibit the false positive you reported. It sounds like, basically, I should start with a SUSE-based docker image, download an RPM containing openssl, and then unpack the RPM manually without using a normal installation process, and then scan that resulting image? |
Hi @willmurphyscode, In fact, if you a SUSE container that has openssl inside, it is sufficient to reproduce.
|
Hi @sekveaja, thanks for the details. If you unpack the RPM with rpm2cpio and "install" the binaries manually, Syft indeed won't know they're attached to an RPM. But if you install the RPM with the package manager, Syft should be able to use the information the RPM database to de-duplicate the binary matches. So we need to know what files are owned by that openssl RPM, and we also need to know the specific paths of the results that are found using the "binary" cataloger. How are you normally installing this RPM? Since you can't share the container, can you share the SBOM in JSON format? That would help us narrow down the problem. Thank you! |
Hi @tgerla, It is good to know that Syft can track file that is belonged to a specific rpm based on the RPM database. To answer to your question:: How are you normally installing this RPM? Does zypper is supported by Syft? |
What happened:
Run grype on container that has openssl file, the tool report many CVE on it.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
openssl 1.1.1 binary CVE-2022-2068 Critical
openssl 1.1.1 binary CVE-2022-1292 Critical
openssl 1.1.1 binary CVE-2021-3711 Critical
openssl 1.1.1 binary CVE-2023-4807 High
What you expected to happen:
According to SUSE Advisory, those critical CVE are fixed from release
libopenssl1_1 >= 1.1.1l-150500.15.4
openssl-1_1 >= 1.1.1l-150500.15.4
See https://www.suse.com/security/cve/CVE-2022-2068.html
The container has openssl-1_1-1.1.1l-150500.15.4 rpm installed.
In the normal and wanted behavior, the tool should not report those CVE as condition is met from SUSE Advisory criteria.
We test with grype 0.74.6 with --distro sles:15.5 argument.
It seems that RPMs once it contents is installed and extracted in the container, syft output that feed Grype has no way to tell file A, file B, file C,.... is coming from a patch, hence, Grype generate output with false output, as it has no reference or context.
How to reproduce it (as minimally and precisely as possible):
This is just a way to reproduce the issue from the command line by extracting the contents from the RPM.
*** Some nuance need to follow, in a container when a RPM packaged is installed, if you go in the container, you are able to validate with the rpm command (cli) file A, file B,... belong to which package and patch.
Below example, it just to extract the rpm contents with cpio cli , thus, not installing the rpm.
It can't run rpm command to verify file A, file B,.. belonging package.
However, the false positive seen on the container has the same result here as the extract contents RPM content.
I hope that will provide you some hint to work on it.
The example openssl-1_1-1.1l-150500.17.9.1 is even more recent and still show the same issue.
Get this file and unzip
openssl-1_1-1.1.1l-150500.17.9.1.x86_64.rpm.zip
mkdir openssl, cd openssl
Extract openssl-1_1-1.1.1l-150500.17.9.1.x86_64.rpm
rpm2cpio openssl-1_1-1.1.1l-150500.17.9.1.x86_64.rpm | cpio -idvm
cd ..
grype --distro sles:15.5 ./openssl
Anything else we need to know?:
Environment:
grype version
: 0.74.6cat /etc/os-release
or similar): SLES 15 SP 5The text was updated successfully, but these errors were encountered: