You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There should be no vulnerability generate if we follow SUSE requirement and SUSE Advisory.
How to reproduce it (as minimally and precisely as possible):
Create Dockerfile with this information
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
Build the image and test
docker build -t "suse15.5_test:v1" .
grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Scan on image that has ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64 installed.
It generates high vulnerability:
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2020-10663",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-10663",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
:
"artifact": {
"id": "145d80db7bf23deb",
"name": "json",
"version": "2.1.0",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/default/json-2.1.0.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
],
What you expected to happen:
According to SUSE Advisory:
https://www.suse.com/security/cve/CVE-2020-10663.html
SUSE Linux Enterprise Server 15 SP5
libruby2_5-2_5 >= 2.5.8-4.11.1
ruby2.5 >= 2.5.8-4.11.1
ruby2.5-devel >= 2.5.8-4.11.1
ruby2.5-devel-extra >= 2.5.8-4.11.1
ruby2.5-stdlib >= 2.5.8-4.11.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA libruby2_5-2_5-2.5.9-150000.4.26.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA ruby2.5-2.5.9-150000.4.26.1
The version that is installed is > 2.5.8-4.11.1
rpm -qf /usr/lib64/ruby/gems/2.5.0/specifications/default/json-2.1.0.gemspec
ruby2.5-stdlib-2.5.9-150000.4.29.1.x86_64
9bd66b5cfa32:/ #
There should be no vulnerability generate if we follow SUSE requirement and SUSE Advisory.
How to reproduce it (as minimally and precisely as possible):
Create Dockerfile with this information
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
Build the image and test
docker build -t "suse15.5_test:v1" .
grype suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
json 2.1.0 2.3.0 gem GHSA-jphg-qwrw-7w9g High
Anything else we need to know?:
This one is slightly different from
#1807
Here we have json 2.1.0 and easier to reproduce as it is from the OS level.
Environment:
Output of grype version: grype 0.76.0
OS (e.g: cat /etc/os-release or similar):
$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: