Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on certifi 2022.12.07 #1034

Closed
mrginglymus opened this issue Dec 12, 2022 · 7 comments · Fixed by #1510
Closed

False positive on certifi 2022.12.07 #1034

mrginglymus opened this issue Dec 12, 2022 · 7 comments · Fixed by #1510
Assignees
@willmurphyscode
Labels
bug Something isn't working false-positive

Comments

@mrginglymus
Copy link

mrginglymus commented Dec 12, 2022
edited
Loading

What happened:

TYPE    NAME                    INSTALLED               VULN                  SEVERITY      FIXED?     FIXED IN              UPSTREAM PACKAGE           DATASOURCE
python  certifi                 2022.12.7               GHSA-43fp-rhv2-5gv8   Medium        fixed      2022.12.07                                       https://github.com/advisories/GHSA-43fp-rhv2-5gv8

What you expected to happen:
No security advisory

How to reproduce it (as minimally and precisely as possible):
Python docker image with certifi==2022.12.7 installed

Anything else we need to know?:

certifi publish their python packages with a 'human formatted' zero-padded date format. However, PEP440 canonical versions have their leading zeros removed. Thus, 2022.12.7 is equivalent to 2022.12.07.

What makes this odd is that even on a string comparison, 2022.12.7 is greater than 2022.12.07.

Environment:

Application:          grype
Version:              0.50.2
Syft Version:         v0.57.0
BuildDate:            2022-09-20T19:54:28Z
GitCommit:            f094b860b9b9ebcdf06d9b9c6f7d5c000fad395b
GitDescription:       v0.50.2
Platform:             windows/amd64
GoVersion:            go1.18.6
Compiler:             gc
Supported DB Schema:  4
@mrginglymus mrginglymus added the bug Something isn't working label Dec 12, 2022
@mrginglymus mrginglymus mentioned this issue Dec 12, 2022
Closed
@westonsteimel
Copy link
Contributor

Thanks for the report @mrginglymus! Yes, this is because we don't currently have exact support for python version comparisons according to PEP 440 and it does cause some false positives. #986 is another case of this.

@mrginglymus mrginglymus changed the title False positive False positive on certifi 2022.12.07 Dec 12, 2022
@tgerla tgerla added this to OSS Dec 12, 2022
@tgerla tgerla moved this to False Positives in OSS Dec 12, 2022
@ilanKeshet
Copy link

reproduces for me as well

Package                                   Type              Installed Version                  Fixed Version             Vulnerability             Severity
certifi                                 python                      2022.12.7                     2022.12.07       GHSA-43fp-rhv2-5gv8               Medium

@danekantner
Copy link

This CVE is recorded wrong by Github IMO. The actual correct version is 2022.12.7 but the CVE is wrong in that it reports the vulnerable version is < 2022.12.07 and fixed version >= 2022.12.07 -- there is no .07 it is .7

This problem is happening with this CVE in other security tools too.

@ilanKeshet
Copy link

@danekantner This sort of stuff is bound to happen again and again.
I get that your not in the wrong here, but it would be truly awesome if you (grype) could shield users from such inevitable inconveniences
🙏

Thank You

@danekantner
Copy link

I'm not with Grype. I was looking at this because I have other security tools that are doing the same thing.

The package maintainers have responded back saying this is the way it's going to be, and all of the various security vendors need to write custom snowflake code to deal with python packages that use release dates as version schemes. The python wheel setup package changes the version scheme when it builds the packages and they think this is acceptable.

@danekantner
Copy link

This BTW was apparently decided on as some precedent when the python issue for this was closed: pypa/setuptools#302

@kzantow kzantow mentioned this issue Apr 5, 2023
Closed
@wagoodman wagoodman removed the status in OSS Apr 6, 2023
@westonsteimel westonsteimel mentioned this issue Jul 12, 2023
Closed
@anotherbridge
Copy link

I can also confirm the same issue with a newer version of the certifi package:

NAME     INSTALLED  FIXED-IN    TYPE    VULNERABILITY        SEVERITY 
certifi  2023.7.22  2023.07.22  python  GHSA-xqr8-7jwr-rhp7  Low

@willmurphyscode willmurphyscode self-assigned this Sep 20, 2023
@willmurphyscode willmurphyscode moved this to In Progress in OSS Sep 21, 2023
@willmurphyscode willmurphyscode mentioned this issue Sep 22, 2023
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in OSS Sep 22, 2023
@p-linnane p-linnane mentioned this issue Sep 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working false-positive
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use PEP440 for Python package version comparison anchore/grype
7 participants
@mrginglymus @westonsteimel @ilanKeshet @willmurphyscode @spiffcs @anotherbridge @danekantner