Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on a custom image with custom python package #2292

Open
tony-oss-titan opened this issue Dec 1, 2024 · 0 comments
Open

False positive on a custom image with custom python package #2292

tony-oss-titan opened this issue Dec 1, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@tony-oss-titan
Copy link

Hi, I have built a custom python alpine image with my own glibc compiled on it. Then I compiled all python packages on top. Basically got rid of all musl based dependencies.
Now, when I run grype on this image, it still reports CVE-2024-9287. My current version of python (3.13) has this vulnerability fixed. Other scanners like trivy, docker scout, snyk do NOT report this CVE.

I wonder why would grype keep reporting it. I waited a while thinking the grype db might need an update but seems like it has been updated for this CVE but I continue to see this for my image which is a false positive.

How to reproduce it (as minimally and precisely as possible):

docker pull tonyosstitan/python:grypeissue

 % grype tonyosstitan/python:grypeissue            
 ✔ Loaded image                                                                                                       tonyosstitan/python:grypeissue
 ✔ Parsed image                                                              sha256:727ab77451046eb3e244382cb6979f257d3f620398b446f2737eab8d44a09f18
 ✔ Cataloged contents                                                               5cf54ec70b43a1f3e8cd066107f9373aba4d6e23480f2e95592a5c3076e0f827
   ├── ✔ Packages                        [40 packages]  
   ├── ✔ File digests                    [2,070 files]  
   ├── ✔ File metadata                   [2,070 locations]  
   └── ✔ Executables                     [168 executables]  
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible (1 unknown)
   └── by status:   0 fixed, 1 not-fixed, 0 ignored 
NAME     INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY 
python3  3.13.0-r0            apk   CVE-2024-9287  Unknown

I am using a mac (Sonoma)

 % grype version
Application:         grype
Version:             0.85.0
BuildDate:           2024-11-21T15:04:14Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.23.3
Compiler:            gc
Syft Version:        v1.17.0
Supported DB Schema: 5

% uname -a        
Darwin testuser 23.5.0 Darwin Kernel Version 23.5.0: Wed May  1 20:19:05 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T8112 arm64
@tony-oss-titan tony-oss-titan added the bug Something isn't working label Dec 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tony-oss-titan