-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
false positive - python-setuptools #4067
Comments
Hello @faust64 We investigated this image(registry.access.redhat.com/ubi9/python-39:1-114.1681379027) and found strange case:
RPM only has information for
It looks like That is why we can't exclude
Perhaps you can ask RedHat about this strange case? How was this package installed in the Best Regards, Dmitriy UPD: UPD2: |
Hi, Thanks for the quick reply, @DmitriyLewen Indeed you're right, there are two versions of that setuptools module, in python3.9/ubi9 base image provided by RedHat Now ... lacking any better idea ... let's dig in ... Now, let's check RH didn't lie to me when suggesting they fixed it, on a 53.0.0.
Checking the code i find in my ubi9/python3.9 image ... I can confirm we can see the new regexpr is there. Although I'm not sure I can explain exactly how RH builds those ... I'm pretty sure today: this is a false positive. |
This issue is stale because it has been labeled with inactivity. |
I believe in my case it was coming from the base image. For anybody that may end up here in the future looking for answers. |
Description
A while ago, I pinged RedHat support, regarding some python-setuptools vunerability spotted by Trivy.
Since then, support got back to me and confirmed the fix was now avaialable.
Yet trivy keeps reporting about that vulnerability:
For the record, RedHat advertises ( access.redhat.com/errata/RHSA-2023:0952 ) that the fix ships in python3-setuptools-53.0.0-10.el9_11.noarch.rpm.
I think this may be a false positive. Given Trivy seems certain the only fix would be to upgrade to 65.5.1 ...
Am I doing it wrong? Should I wipe the cache of my trivy container and try again (db looks up to date/just upgraded yesterday, in doubt)?
Those scans have been marked as failing for over a month, since RedHat came through and told me they shipped their own fix.
What did you expect to happen?
Building an image from ubi9/python39. With few dependencies (kopf/kubernetes libs). I would expect my scans to find 0 vulnerablities.
According to RH container registry, there shouldn't be any known vulnerability here: https://catalog.redhat.com/software/containers/ubi9/python-39/61a61032bfd4a5234d59629e?tag=1-114.1681379027&push_date=1681409110000
What happened instead?
Scan keeps reporting 1 vulnerability. RedHat insists it's no longer vulnerable.
Who should I trust?
Output of run with
-debug
:can't share this / don't have access to GitHub from the workstation I use operating my customer's clusters.
details about vulnerability shared above.
still persists as of today, using redhat's latest image (released yesterday evening)
Output of
trivy -v
:(from my trivy server / scans would be running on clients with no persistent volume attached)
Additional details (base image name, container registry info...):
N/A
The text was updated successfully, but these errors were encountered: