Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

False positive on a custom image with custom python package #2292

Open
tony-oss-titan opened this issue Dec 1, 2024 · 0 comments
Open

False positive on a custom image with custom python package #2292

tony-oss-titan opened this issue Dec 1, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@tony-oss-titan
Copy link

Hi, I have built a custom python alpine image with my own glibc compiled on it. Then I compiled all python packages on top. Basically got rid of all musl based dependencies.
Now, when I run grype on this image, it still reports CVE-2024-9287. My current version of python (3.13) has this vulnerability fixed. Other scanners like trivy, docker scout, snyk do NOT report this CVE.

I wonder why would grype keep reporting it. I waited a while thinking the grype db might need an update but seems like it has been updated for this CVE but I continue to see this for my image which is a false positive.

How to reproduce it (as minimally and precisely as possible):

docker pull tonyosstitan/python:grypeissue

 % grype tonyosstitan/python:grypeissue            
 ✔ Loaded image                                                                                                       tonyosstitan/python:grypeissue
 ✔ Parsed image                                                              sha256:727ab77451046eb3e244382cb6979f257d3f620398b446f2737eab8d44a09f18
 ✔ Cataloged contents                                                               5cf54ec70b43a1f3e8cd066107f9373aba4d6e23480f2e95592a5c3076e0f827
   ├── ✔ Packages                        [40 packages]  
   ├── ✔ File digests                    [2,070 files]  
   ├── ✔ File metadata                   [2,070 locations]  
   └── ✔ Executables                     [168 executables]  
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible (1 unknown)
   └── by status:   0 fixed, 1 not-fixed, 0 ignored 
NAME     INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY 
python3  3.13.0-r0            apk   CVE-2024-9287  Unknown

I am using a mac (Sonoma)

 % grype version
Application:         grype
Version:             0.85.0
BuildDate:           2024-11-21T15:04:14Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.23.3
Compiler:            gc
Syft Version:        v1.17.0
Supported DB Schema: 5
% uname -a        
Darwin testuser 23.5.0 Darwin Kernel Version 23.5.0: Wed May  1 20:19:05 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T8112 arm64
@tony-oss-titan tony-oss-titan added the bug Something isn't working label Dec 1, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
Status: No status
Development

No branches or pull requests

1 participant