False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem #1849

sekveaja · 2024-05-08T18:22:57Z

Scan on image that has ruby2.5-rubygem-bundler-1.16.1-3.3.1.x86_64 installed.
It generates critical vulnerability

"vulnerability": {
"id": "GHSA-jvgm-pfqv-887x",
"dataSource": "GHSA-jvgm-pfqv-887x",
"namespace": "github:language:ruby",
"severity": "Critical",
"urls": [
"https://github.com/advisories/GHSA-jvgm-pfqv-887x"
],
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2016-7954",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-7954",
"namespace": "nvd:cpe",
"severity": "Critical",
"urls": [

"artifact": {
"id": "e636f1dfae2e620b",
"name": "bundler",
"version": "1.16.1",
"type": "gem",
"locations": [
{
"path": "/usr/lib64/ruby/gems/2.5.0/specifications/bundler-1.16.1.gemspec",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
}
],
"language": "ruby",

What you expected to happen:

According to SUSE Advisory CVE-2016-7954 is not affected on SLES 15.5

https://www.suse.com/security/cve/CVE-2016-7954.html

SUSE Linux Enterprise Server 15 SP5 rubygem-bundler Not affected
SUSE Linux Enterprise Server 15 SP6 rubygem-bundler Not affected

How to reproduce it (as minimally and precisely as possible):

Create Dockerfile with this information

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends ruby2.5-rubygem-bundler=1.16.1-3.3.1
ENTRYPOINT [""]
CMD ["bash"]

Build the image and test

docker build -t "suse15.5_test:v1" ./Dockerfile
grype suse15.5_test:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <== Critical Vulnerability generated
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High
bundler 1.16.1 2.2.33 gem GHSA-fj7f-vq84-fh43 Medium
date 1.0.0 2.0.1 gem GHSA-qg54-694p-wgpp High

Adding distribution
$ grype --distro sles:15.5 suse15.5_test:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bundler 1.16.1 2.0.0 gem GHSA-jvgm-pfqv-887x Critical <===== No change
bundler 1.16.1 2.1.0 gem GHSA-g98m-96g9-wfjq High
bundler 1.16.1 2.2.10 gem GHSA-fp4w-jxhp-m23p High

Anything else we need to know?:

Environment:

Output of grype version: grype 0.76.0
OS (e.g: cat /etc/os-release or similar):
$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

The text was updated successfully, but these errors were encountered:

kzantow · 2025-05-12T14:35:13Z

I think this will be corrected when comprehensive SUSE data is in the Grype DB: anchore/vunnel#626

sekveaja added the bug Something isn't working label May 8, 2024

anchoretoolsops added this to OSS May 8, 2024

willmurphyscode added the false-positive label May 14, 2024

kzantow moved this to Backlog in OSS May 12, 2025

5F36

kzantow added the distro:sles label May 12, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem #1849

False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem #1849

False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem #1849

False Positive: GHSA-jvgm-pfqv-887x CVE-2016-7954 not affected in SUSE ecosystem #1849

Comments