False Positive: GHSA-g98m-96g9-wfjq CVE-2019-3881 ruby2.5-rubygem-bundler in SUSE ecosystem #1850
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed.
It generates high vulnerability:
"vulnerability": {
"id": "GHSA-g98m-96g9-wfjq",
"dataSource": "GHSA-g98m-96g9-wfjq",
"namespace": "github:language:ruby",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-g98m-96g9-wfjq"
"relatedVulnerabilities": [
{
"id": "CVE-2019-3881",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-3881",
"namespace": "nvd:cpe",
"severity": "High",
"urls": CVE-2019-3881
"artifact": {
"id": "e636f1dfae2e620b",
"name": "bundler",
"version": "1.16.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
What you expected to happen:
Vulnerability is pointing to this path and file:
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
Looking for package and version, the bundler-16.1.gemspec file is belonged to:
$ rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec
==> ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
SUSE Advisory
For SUSE Linux Enterprise Server 15 SP5 fixed is from ruby2.5-rubygem-bundler >= 1.16.1-3.3.1
And that match with version installed in the image ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64
Conclusion: The installed package (ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64) meet SUSE advisory criteria, therefore, should not generate vulnerability. But Grype doesn't taking account patch from OS distributor.
How to reproduce it (as minimally and precisely as possible):
Create Dockerfile with this information
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
Build the image and test
docker build -t "suse15.5_test:v1" ./Dockerfile
grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High <== High Vulnerability
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium
date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High
Adding distribution
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High <===== No change
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
Anything else we need to know?:
Environment:
Output of grype version: grype 0.76.0
OS (e.g: cat /etc/os-release or similar):
$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: