Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3294

Python rpm scans produces false positive on rhel/ubi based images

XMLWordPrintable

    • False
    • False
    • Quay Enterprise
    • 0

      When an image include python rpm packages they are also checked against python vulnerabilities databases (pyup.io and SNYK). However, the packages does not reference security patches that rhel provides, creating false positives.

      Example: with our registry.redhat.io/ubi8/python-38:1-80 (latest currently in my test), the scan throws 4 high, 6 medium and 2 unkown. One of the high level is:

      pyup.io-38834 (CVE-2020-26137)  on the package version 1.24.2. However, doing a rpm search on the image, we get

       

      > rpm -q python3-urllib3
      python3-urllib3-1.24.2-5.el8.noarch
      

      The key here is the -5 security patchlevel. As referenced in:

      https://access.redhat.com/security/cve/cve-2020-26137

      That points to https://access.redhat.com/errata/RHSA-2021:1631, which says the fix is included in python3-urllib3-1.24.2-5.el8.noarch.rpm

       

       

       

            Unassigned Unassigned
            rgordill1@redhat.com Ramon Gordillo Gutierrez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: