Uploaded image for project: 'Clair'
  1. Clair
  2. CLAIRDEV-115

false-positives from Konflux` clair-scan of Python 3.11 and 3.9 images

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • claircore-1.5.33
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Python 3.11 image:

      [conftest-vulnerabilities] 		"warnings": [
[conftest-vulnerabilities] 			{
[conftest-vulnerabilities] 				"msg": "Found packages with high vulnerabilities. Consider updating to a newer version of those packages, they may no longer be affected by the reported CVEs.",
[conftest-vulnerabilities] 				"metadata": {
[conftest-vulnerabilities] 					"details": {
[conftest-vulnerabilities] 						"description": "Vulnerabilities found: setuptools-65.5.1 (GHSA-cx63-2mw6-8hw5)",
[conftest-vulnerabilities] 						"name": "clair_high_vulnerabilities",
[conftest-vulnerabilities] 						"url": "https://access.redhat.com/articles/red_hat_vulnerability_tutorial"
[conftest-vulnerabilities] 					},
[conftest-vulnerabilities] 					"vulnerabilities_number": 1
[conftest-vulnerabilities] 				}
[conftest-vulnerabilities] 			}
[conftest-vulnerabilities] 		]

      GHSA-cx63-2mw6-8hw5/CVE-2024-6345 has been fixed since setuptools-65.5.1-3

      podman run -ti --rm registry.redhat.io/rhel9/python-311:9.5 rpm -q --changelog python3.11-setuptools
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 65.5.1-3
- Security fix for CVE-2024-6345
Resolves: RHEL-49992

      Not sure how clair-scan knows what setuptools version is installed, but sbom says it's 65.5.1-3

      [show-sbom]         {
[show-sbom]             "bom-ref": "pkg:rpm/rhel/python3.11-setuptools@65.5.1-3.el9?arch=noarch&upstream=python3.11-setuptools-65.5.1-3.el9.src.rpm&distro=rhel-9.5&package-id=956f80a3708936b9",
[show-sbom]             "type": "library",
[show-sbom]             "publisher": "Red Hat, Inc.",
[show-sbom]             "name": "python3.11-setuptools",
[show-sbom]             "version": "65.5.1-3.el9",
[show-sbom]             "licenses": [
[show-sbom]                 {
[show-sbom]                     "license": {
[show-sbom]                         "name": "MIT and ASL 2.0 and (BSD or ASL 2.0) and Python"
[show-sbom]                     }
[show-sbom]                 }
[show-sbom]             ],
[show-sbom]             "cpe": "cpe:2.3:a:python3.11-setuptools:python3.11-setuptools:65.5.1-3.el9:*:*:*:*:*:*:*",
[show-sbom]             "purl": "pkg:rpm/rhel/python3.11-setuptools@65.5.1-3.el9?arch=noarch&upstream=python3.11-setuptools-65.5.1-3.el9.src.rpm&distro=rhel-9.5",

      Python 3.9 image:

      from clair-scan log:

      [conftest-vulnerabilities] 			{
[conftest-vulnerabilities] 				"msg": "Found packages with high vulnerabilities. Consider updating to a newer version of those packages, they may no longer be affected by the reported CVEs.",
[conftest-vulnerabilities] 				"metadata": {
[conftest-vulnerabilities] 					"details": {
[conftest-vulnerabilities] 						"description": "Vulnerabilities found: setuptools-53.0.0 (GHSA-cx63-2mw6-8hw5, GHSA-r9hx-vwmv-q579)",
[conftest-vulnerabilities] 						"name": "clair_high_vulnerabilities",
[conftest-vulnerabilities] 						"url": "https://access.redhat.com/articles/red_hat_vulnerability_tutorial"
[conftest-vulnerabilities] 					},
[conftest-vulnerabilities] 					"vulnerabilities_number": 2
[conftest-vulnerabilities] 				}
[conftest-vulnerabilities] 			},

      GHSA-r9hx-vwmv-q579/CVE-2022-40897 has been fixed since setuptools-50.0.0-12
      GHSA-cx63-2mw6-8hw5/CVE-2024-6345 has been fixed since setuptools-50.0.0-13

      podman run -ti --rm registry.redhat.io/rhel9/python-39:9.5 rpm -q --changelog python3-setuptools
* Wed Jul 24 2024 Lumír Balhar <lbalhar@redhat.com> - 53.0.0-13
- Security fix for CVE-2024-6345
Resolves: RHEL-49978

* Wed Jan 11 2023 Charalampos Stratakis <cstratak@redhat.com> - 53.0.0-12
- Security fix for CVE-2022-40897
Resolves: rhbz#2158559

      [show-sbom]             "bom-ref": "pkg:rpm/rhel/python3-setuptools@53.0.0-13.el9?arch=noarch&upstream=python-setuptools-53.0.0-13.el9.src.rpm&distro=rhel-9.5&package-id=c8817cc658f037e2",
[show-sbom]             "type": "library",
[show-sbom]             "publisher": "Red Hat, Inc.",
[show-sbom]             "name": "python3-setuptools",
[show-sbom]             "version": "53.0.0-13.el9",
[show-sbom]             "licenses": [
[show-sbom]                 {
[show-sbom]                     "license": {
[show-sbom]                         "name": "MIT and (BSD or ASL 2.0)"
[show-sbom]                     }
[show-sbom]                 }
[show-sbom]             ],
[show-sbom]             "cpe": "cpe:2.3:a:python3-setuptools:python3-setuptools:53.0.0-13.el9:*:*:*:*:*:*:*",
[show-sbom]             "purl": "pkg:rpm/rhel/python3-setuptools@53.0.0-13.el9?arch=noarch&upstream=python-setuptools-53.0.0-13.el9.src.rpm&distro=rhel-9.5",

      It's strange that the python3-setuptools is installed in the ubi9 base image, but the python-39 image is the only one where clair-scan claims it's vulnerable.

      All versions of the clair-scan task have been reporting these false-positives.

      I'll try to add complete logs to this ticket. Let me know what else you need. Thanks!

        1. python-39-9-5-on-push-bmgwq-clair-scan.log
          909 kB
          Jiri Popelka
        2. python-39-9-5-on-push-bmgwq-show-sbom.log
          1.93 MB
          Jiri Popelka
        3. python-311-9-5-on-push-zkt9c-show-sbom.log
          1.97 MB
          Jiri Popelka
        4. python-311-9-5-on-push-zkt9c-clair-scan.log
          902 kB
          Jiri Popelka

              Unassigned Unassigned
              jpopelka@redhat.com Jiri Popelka
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: