What happened:
I have a Python Image "certifi" installed with "2023.7.22". As per GHSA-xqr8-7jwr-rhp7, this version is not impacted.
But grype is marking this CVE as applicable for my image:
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "python-matcher",
"searchedBy": {
"language": "python",
"namespace": "github:language:python",
"package": {
"name": "certifi",
"version": "2023.7.22"
}
},
"found": {
"versionConstraint": ">=2015.04.28,<2023.07.22 (python)",
"vulnerabilityID": "GHSA-xqr8-7jwr-rhp7"
}
}
],
versionConstraint used by the matcher is incorrect. As per GH advisory, patched versions are >=2023.07.22.
What you expected to happen:
Ideally, grype should not report the patched version as vulnerable.
How to reproduce it (as minimally and precisely as possible):
Scan any python image containing certifi with version 2023.07.22.
Environment:
bash-4.4# grype version
Application: grype
Version: 0.65.0
Syft Version: v0.86.1
BuildDate: 2023-08-01T00:36:47Z
GitCommit: c97048baa1595a481a26f7add8b18d59ec65838a
GitDescription: v0.65.0
Platform: linux/amd64
GoVersion: go1.20.1
Compiler: gc
Supported DB Schema: 5
What happened:
I have a Python Image "certifi" installed with "2023.7.22". As per GHSA-xqr8-7jwr-rhp7, this version is not impacted.
But grype is marking this CVE as applicable for my image:
versionConstraintused by the matcher is incorrect. As per GH advisory, patched versions are>=2023.07.22.What you expected to happen:
Ideally, grype should not report the patched version as vulnerable.
How to reproduce it (as minimally and precisely as possible):
Scan any python image containing certifi with version
2023.07.22.Environment:
grype version: