You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed.
It generates high vulnerability:
"vulnerability": {
"id": "GHSA-g98m-96g9-wfjq",
"dataSource": "GHSA-g98m-96g9-wfjq",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-g98m-96g9-wfjq"
Vulnerability is pointing to this path and file:
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
Looking for package and version, the bundler-16.1.gemspec file is belonged to:
$ rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec
==> ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
SUSE Advisory
For SUSE Linux Enterprise Server 15 SP5 fixed is from ruby2.5-rubygem-bundler >= 1.16.1-3.3.1
And that match with version installed in the image ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
Conclusion: The installed package (ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64) meet SUSE advisory criteria, therefore, should not generate vulnerability. But Grype doesn't taking account patch from OS distributor.
How to reproduce it (as minimally and precisely as possible):
Create Dockerfile with this information
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
Build the image and test
docker build -t "suse15.5_test:v1" ./Dockerfile
grype suse15.5_test:v1
What happened:
Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed.
It generates high vulnerability:
"vulnerability": {
"id": "GHSA-g98m-96g9-wfjq",
"dataSource": "GHSA-g98m-96g9-wfjq",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-g98m-96g9-wfjq"
"relatedVulnerabilities": [
{
"id": "CVE-2019-3881",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-3881",
"namespace": "nvd:cpe",
"severity": "High",
"urls": CVE-2019-3881
"artifact": {
"id": "e636f1dfae2e620b",
"name": "bundler",
"version": "1.16.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
What you expected to happen:
Vulnerability is pointing to this path and file:
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
Looking for package and version, the bundler-16.1.gemspec file is belonged to:
$ rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec
==> ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
SUSE Advisory
For SUSE Linux Enterprise Server 15 SP5 fixed is from ruby2.5-rubygem-bundler >= 1.16.1-3.3.1
And that match with version installed in the image ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
Conclusion: The installed package (ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64) meet SUSE advisory criteria, therefore, should not generate vulnerability. But Grype doesn't taking account patch from OS distributor.
How to reproduce it (as minimally and precisely as possible):
Create Dockerfile with this information
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
Build the image and test
docker build -t "suse15.5_test:v1" ./Dockerfile
grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High <== High Vulnerability
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium
date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High
Adding distribution
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High <===== No change
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
Anything else we need to know?:
Environment:
Output of grype version: grype 0.76.0
OS (e.g: cat /etc/os-release or similar):
$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: