Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

False Positive: GHSA-gf2q-j2qq-pjf2(CVE-2012-3542) GHSA-mrxv-65rv-6hxq (CVE-2012-4413) keystone 18.x.x, recommend fixed with 2012.x older versioning convention #2289

Open
sekveaja opened this issue Nov 27, 2024 · 0 comments
Labels
bug Something isn't working epoch relating to issues around version lineage changes false-positive

Comments

@sekveaja
Copy link

What happened:
Scan on image that has python3 keystone version 18.x.x installed.
It generates vulnerabilities
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
keystone 18.1.1.dev11 2012.1 python GHSA-gf2q-j2qq-pjf2 High
keystone 18.1.1.dev11 2012.1.3 python GHSA-mrxv-65rv-6hxq Medium

What you expected to happen:

OpenStack changed versioning system between Kilo and Liberty in 2015. Up to Kilo they used the year as a base resulting in 20xx.x.x versions. From Liberty they started to use semantic versioning in every project.
This resulted lower version numbers for the newer projects that the tools cannot handle now.
e.g. Keystone became 8.0.0 in Liberty after the 2015.1.4 Kilo version

https://releases.openstack.org/liberty/index.html
https://releases.openstack.org/kilo/index.html

How to reproduce it (as minimally and precisely as possible):

$ wget https://tarballs.opendev.org/openstack/keystone/keystone-26.0.0.tar.gz

$ grype keystone-26.0.0.tar.gz
✔ Vulnerability DB [updated]
✔ Indexed file system /tmp/syft-archive-contents-3794649546
✔ Cataloged contents af829c6a4de6690207c86ae475f3eadb7db152f5f7a25d01f2ee62a6
├── ✔ Packages [1 packages]
├── ✔ File digests [2 files]
├── ✔ File metadata [2 locations]
└── ✔ Executables [0 executables]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 1 high, 1 medium, 1 low, 0 negligible
└── by status: 2 fixed, 1 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
keystone 26.0.0 2012.1 python GHSA-gf2q-j2qq-pjf2 High (FP is reproduced)
keystone 26.0.0 2012.1.3 python GHSA-mrxv-65rv-6hxq Medium (FP is reproduced)
keystone 26.0.0 python GHSA-qvpr-qm6w-6rcc Low

Anything else we need to know?:
Similar problem with openstack Neutron, Glance, ,Cinder
#2262
#2252
#2240

Environment:

  • Output of grype version: grype 0.83.0

  • OS (e.g: cat /etc/os-release or similar):
    $ cat /etc/os-release
    NAME="Red Hat Enterprise Linux"
    VERSION="8.7 (Ootpa)"
    ID="rhel"
    ID_LIKE="fedora"
    VERSION_ID="8.7"
    PLATFORM_ID="platform:el8"
    PRETTY_NAME="Red Hat Enterprise Linux 8.7 (Ootpa)"

@sekveaja sekveaja added the bug Something isn't working label Nov 27, 2024
@kzantow kzantow added false-positive epoch relating to issues around version lineage changes labels Dec 11, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working epoch relating to issues around version lineage changes false-positive
Projects
Status: No status
Development

No branches or pull requests

2 participants