There appears to be a False Positive CVE-2022-32511

[samcornwell]

I have a container using py3-jmespath as an apk package in alpine. I'm getting this in my grype output:

user@machine:~$ grype <image> | grep -E "(Critical|High|Medium)\s*$"
 ✔ Loaded image                                                                                      <image>
 ✔ Parsed image                                                                                        sha256:5969162d15686a0d460a4ba701a91b7c3c3466aa95fdf4cf9958c190beea77d7
 ✔ Cataloged contents                                                                                         dbd2e1c6c93d09473e73ccc4f421d534783e4bb203f6fa9996560d2bf9c56ffd
   ├── ✔ Packages                        [113 packages]  
   ├── ✔ File digests                    [5,186 files]  
   ├── ✔ File metadata                   [5,186 locations]  
   └── ✔ Executables                     [201 executables]  
 ✔ Scanned for vulnerabilities     [5 vulnerability matches]  
   ├── by severity: 1 critical, 0 high, 4 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 5 not-fixed, 0 ignored 
coreutils            9.5-r1               apk   CVE-2016-2781   Medium    
coreutils-env        9.5-r1               apk   CVE-2016-2781   Medium    
coreutils-fmt        9.5-r1               apk   CVE-2016-2781   Medium    
coreutils-sha512sum  9.5-r1               apk   CVE-2016-2781   Medium    
py3-jmespath         1.0.1-r3             apk   CVE-2022-32511  Critical

However, that CVE only applies to the ruby version of jmespath.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32511

I find no CVEs in the databases associated with jmespath of python.

Even more interesting is my dashboard shows this:

It reports that there is a fix available, but that version does not exist. 1.0.1 is the newest.

You can see where it gets 1.6.1 if you click on the link my CVE dashboard:
jmespath/jmespath.rb@v1.6.0...v1.6.1

This shows the patch to tag version number 1.6.1 in jmespath.rb. Just to be clear, there IS a python version of jmespath:
https://github.com/jmespath/jmespath.py

And python appears to be what the apk package py3-jmespath is using:

So... there are a few things going on here. But the earliest issue in the chain appears to be grype categorizing the py-jmespath as having the Ruby version CVE. Do you know where this might be occurring my specifically? The less issue path appears to be that the vulnerability-operatoris saying to upgrade to1.6.1`, probably just because it's confused that a CVE is being reported from grype at all.

[samcornwell]

Posted in grype issues:
anchore/grype#2348

[samcornwell]

It seems this is a problem with the grype/syft CPE matching, so probably not much to do here .... but I'll leave it open for the time being. I think it is fundamentally a problem with not being able to tell the difference between a ruby, node, python, etc package if it's installed through the system package manager. Browsing through the syft code, it SEEMS like they already try to take this into account by identifying python packages as starting with py3-, but it's not working in this case, although I don't fully understand the code base.