Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive:GHSA-wf44-4mgj-rwvx( CVE-2015-3221) neutron 17.x.x, recommend fixed with 2014.x older versioning convention #2262

Open
sekveaja opened this issue Nov 15, 2024 · 0 comments
Open

False positive:GHSA-wf44-4mgj-rwvx( CVE-2015-3221) neutron 17.x.x, recommend fixed with 2014.x older versioning convention #2262

sekveaja opened this issue Nov 15, 2024 · 0 comments
Labels
bug Something isn't working needs-investigation

Comments

@sekveaja
Copy link

What happened:
Scan on image that has python3-neutron-17.1.3.dev3-1000.R12A04.noarch installed.
It generates vulnerabilities:

$ grype --distro sles:15.5 <custom_image> | grep neutron

neutron 17.1.3.dev3 17.1.3 python GHSA-hvm4-mc7m-22w4 High
neutron 17.1.3.dev3 17.2.1 python GHSA-fh73-gjvg-349c High
neutron 17.1.3.dev3 17.2.1 python GHSA-cpx3-696p-3cw9 High
neutron 17.1.3.dev3 2014.2.4 python GHSA-wf44-4mgj-rwvx Medium <==
neutron 17.1.3.dev3 18.6.0 python GHSA-w446-h7vg-wv3p Medium
neutron 17.1.3.dev3 python GHSA-r3jh-qhgj-gvr8 Medium

What you expected to happen:
OpenStack changed versioning system between Kilo and Liberty in 2015. Up to Kilo they used the year as a base resulting in 20xx.x.x versions. From Liberty they started to use semantic versioning in every project.
This resulted lower version numbers for the newer projects that the tools cannot handle now.
e.g. Neutron became 7.0.0 in Liberty after the 2015.1.4 Kilo version

https://releases.openstack.org/liberty/index.html
https://releases.openstack.org/kilo/index.html

How to reproduce it (as minimally and precisely as possible):
-->

  1. Download the tar file from the pubic repo https://tarballs.opendev.org/openstack/
    artifact we can try scanning
    $ wget https://tarballs.opendev.org/openstack/neutron/neutron-17.3.0.tar.gz

  2. Scan the the tar file
    $ grype neutron-17.3.0.tar.gz
    ✔ Indexed file system /tmp/syft-archive-contents-3540691396
    ✔ Cataloged contents 4511349c568d80f9839f9422ec75a7e660e974cbc52f892ea7b095dba294e3f8
    ├── ✔ Packages [5 packages]
    ├── ✔ File digests [3 files]
    ├── ✔ File metadata [3 locations]
    └── ✔ Executables [0 executables]
    ✔ Scanned for vulnerabilities [3 vulnerability matches]
    ├── by severity: 0 critical, 0 high, 3 medium, 0 low, 0 negligible
    └── by status: 2 fixed, 1 not-fixed, 0 ignored
    NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
    neutron 17.3.0 2014.2.4 python GHSA-wf44-4mgj-rwvx Medium (FP reproduced)
    neutron 17.3.0 18.6.0 python GHSA-w446-h7vg-wv3p Medium
    neutron 17.3.0 python GHSA-r3jh-qhgj-gvr8 Medium

Environment:

  • Output of grype version:
    Application: grype
    Version: 0.83.0
    BuildDate: 2024-10-31T00:04:47Z
    GitCommit: 0602464
    GitDescription: v0.83.0
    Platform: linux/amd64

  • OS (e.g: cat /etc/os-release or similar):
    NAME="SLES"
    VERSION="15-SP5"
    VERSION_ID="15.5"
    PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
    ID="sles"
    ID_LIKE="suse"
    ANSI_COLOR="0;32"
    CPE_NAME="cpe:/o:suse:sles:15:sp5"
    DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Nov 15, 2024
@spiffcs spiffcs mentioned this issue Nov 20, 2024
Open
@spiffcs spiffcs moved this to Backlog in OSS Nov 20, 2024
@willmurphyscode willmurphyscode mentioned this issue Nov 25, 2024
Open
@sekveaja sekveaja mentioned this issue Nov 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-investigation
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spiffcs @sekveaja