Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem #1849

Open
sekveaja opened this issue May 8, 2024 · 0 comments
Open

False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem #1849

sekveaja opened this issue May 8, 2024 · 0 comments
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

sekveaja commented May 8, 2024

Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed.
It generates critical vulnerability

"vulnerability": {
"id": "GHSA-jvgm-pfqv-887x",
"dataSource": "GHSA-jvgm-pfqv-887x",
"namespace": "github:language:ruby",
"severity": "Critical",
"urls": [
"https://github.com/advisories/GHSA-jvgm-pfqv-887x"
],
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2016-7954",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-7954",
"namespace": "nvd:cpe",
"severity": "Critical",
"urls": [

"artifact": {
"id": "e636f1dfae2e620b",
"name": "bundler",
"version": "1.16.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
],
"language": "ruby",

What you expected to happen:

According to SUSE Advisory CVE-2016-7954 is not affected on SLES 15.5

https://www.suse.com/security/cve/CVE-2016-7954.html

SUSE Linux Enterprise Server 15 SP5 rubygem-bundler Not affected
SUSE Linux Enterprise Server 15 SP6 rubygem-bundler Not affected

How to reproduce it (as minimally and precisely as possible):

  1. Create Dockerfile with this information

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build the image and test

docker build -t "suse15.5_test:v1" ./Dockerfile
grype suse15.5_test:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <== Critical Vulnerability generated
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium
date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High

Adding distribution
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <===== No change
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High

Anything else we need to know?:

Environment:

  • Output of grype version: grype 0.76.0

  • OS (e.g: cat /etc/os-release or similar):
    $ cat /etc/release
    NAME="SLES"
    VERSION="15-SP5"
    VERSION_ID="15.5"
    PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
    ID="sles"
    ID_LIKE="suse"
    ANSI_COLOR="0;32"
    CPE_NAME="cpe:/o:suse:sles:15:sp5"
    DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willmurphyscode @sekveaja