False Positive: GHSA-5mj6-643f-2g85 (CVE-2013-2256),.... python3-nova Openstack

[sekveaja]

IDs

CVE-2013-2256, CVE-2013-4179, CVE-2014-3517, CVE-2014-3608, CVE-2014-3708, CVE-2015-0259, CVE-2015-3241

Description

According to this link for Openstack:
https://releases.openstack.org/teams/nova.html
There is a change in version convention from Liberty release until to today.

Old Serie:

Kilo release series is
2015.1.4
2015.1.3
2015.1.2
2015.1.1
2015.1.0

New version convention:

From Liberty release series to today
12.0.6
12.0.5
12.0.4
:

The release that is reported for this issue is Victoria version 22.2.2.:
( 9 release more recent than Liberty series)
22.4.0
22.3.0
22.2.2 <---
22.2.1
:

Conclusion:
Due to the change of version from Liberty release series, the tool is not really taking account of the change.
If it takes only reference from from NVD or GitHub, I believe it is wrong in this case.

Reproduction Steps

Unfortunately, we couldn't find a public repository that has this release
python3-nova-22.2.2.dev15-1000.R11A02.noarch.

However, this can be download from Openstack
wget https://tarballs.openstack.org/nova/nova-22.2.2.tar.gz

To see the version changing, please refer to 
https://releases.openstack.org/teams/nova.html

Target

Container Image

Scanner

Vulnerability

Target OS

SUSE 15 SP5

Debug Output

───────────────────────┤
│ nova (PKG-INFO)     │ CVE-2013-2256  │          │        │ 22.2.2.dev15      │ 2013.1.3               │ OpenStack: Nova private flavors resource limit circumvention │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2013-2256                    │
│                     ├────────────────┤          │        │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2013-4179  │          │        │                   │ 2013.2                 │ OpenStack: Nova XML entities DoS                             │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2013-4179                    │
│                     ├────────────────┤          │        │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2014-3517  │          │        │                   │ 2013.2.4, 2014.1.2     │ openstack-nova: timing attack issue allows access to other   │
│                     │                │          │        │                   │                        │ instances' configuration information                         │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2014-3517                    │
│                     ├────────────────┤          │        │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤

Version

$ trivy --version
Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-07-08 18:11:40.452212609 +0000 UTC
  NextUpdate: 2024-07-09 00:11:40.452212459 +0000 UTC
  DownloadedAt: 2024-07-08 20:41:29.716067452 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-05-10 01:14:03.136346195 +0000 UTC
  NextUpdate: 2024-05-13 01:14:03.136346075 +0000 UTC
  DownloadedAt: 2024-05-10 03:07:07.929529541 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct