False positive on certifi 2022.12.07

[mrginglymus]

What happened:

TYPE    NAME                    INSTALLED               VULN                  SEVERITY      FIXED?     FIXED IN              UPSTREAM PACKAGE           DATASOURCE
python  certifi                 2022.12.7               GHSA-43fp-rhv2-5gv8   Medium        fixed      2022.12.07                                       https://github.com/advisories/GHSA-43fp-rhv2-5gv8

What you expected to happen:
No security advisory

How to reproduce it (as minimally and precisely as possible):
Python docker image with certifi==2022.12.7 installed

Anything else we need to know?:

certifi publish their python packages with a 'human formatted' zero-padded date format. However, PEP440 canonical versions have their leading zeros removed. Thus, 2022.12.7 is equivalent to 2022.12.07.

What makes this odd is that even on a string comparison, 2022.12.7 is greater than 2022.12.07.

Environment:

Application:          grype
Version:              0.50.2
Syft Version:         v0.57.0
BuildDate:            2022-09-20T19:54:28Z
GitCommit:            f094b860b9b9ebcdf06d9b9c6f7d5c000fad395b
GitDescription:       v0.50.2
Platform:             windows/amd64
GoVersion:            go1.18.6
Compiler:             gc
Supported DB Schema:  4

[westonsteimel]

Thanks for the report @mrginglymus! Yes, this is because we don't currently have exact support for python version comparisons according to PEP 440 and it does cause some false positives. #986 is another case of this.

[ilanKeshet]

reproduces for me as well

Package                                   Type              Installed Version                  Fixed Version             Vulnerability             Severity
certifi                                 python                      2022.12.7                     2022.12.07       GHSA-43fp-rhv2-5gv8               Medium

[danekantner]

This CVE is recorded wrong by Github IMO. The actual correct version is 2022.12.7 but the CVE is wrong in that it reports the vulnerable version is < 2022.12.07 and fixed version >= 2022.12.07 -- there is no .07 it is .7

This problem is happening with this CVE in other security tools too.

[ilanKeshet]

@danekantner This sort of stuff is bound to happen again and again.
I get that your not in the wrong here, but it would be truly awesome if you (grype) could shield users from such inevitable inconveniences
🙏

Thank You

[danekantner]

I'm not with Grype. I was looking at this because I have other security tools that are doing the same thing.

The package maintainers have responded back saying this is the way it's going to be, and all of the various security vendors need to write custom snowflake code to deal with python packages that use release dates as version schemes. The python wheel setup package changes the version scheme when it builds the packages and they think this is acceptable.

[danekantner]

This BTW was apparently decided on as some precedent when the python issue for this was closed: pypa/setuptools#302