Skip to content

False Positive: GHSA-248v-346w-9cwc (CVE-2024-39689) certifi coming from Python ecosystem #3083

New issue
New issue
Open
Open
False Positive: GHSA-248v-346w-9cwc (CVE-2024-39689) certifi coming from Python ecosystem#3083
Labels
bugSomething isn't workingpackage-overlapIssues where two packages, e.g. a pypi package and an RPM, own overlapping files
@etarast

Description

@etarast
etarast
opened on Dec 2, 2025

What happened:

Scan on image that has python311-certifi-2023.7.22-150400.12.6.2.noarch installed.

It generates this vulnerability:

certifi 2023.7.22 2024.7.4 python GHSA-248v-346w-9cwc Low 21.2% (95th) 6.4

What you expected to happen:

According to Github Advisory GHSA-248v-346w-9cwc it should be patched to 2024.7.4
BUT
According to SUSE Advisory https://www.suse.com/security/cve/CVE-2024-39689.html it is "Not affected"
QUESTION:
Shouldn't be Grype take decision based on OS vendor in this case?

SUSE Linux Enterprise Server 15 SP5
python-certifi Not affected

Installed version in the container: python311-certifi-2023.7.22-150400.12.6.2.noarch

Conclusion:
SUSE Advisory shown "Not affected"
The container image is using the same version python311-certifi-2023.7.22-150400.12.6.2.noarch
The requirement from SLES 15 SP5 is already met, hence, the vulnerability here is a false positive.
At the OS ecosystem, we are at the right recommended level.

If OS vendor applied patch:
A) Will it override programming language,?
B) Can Grype ignore module found in Python ecosystem?

How to reproduce it (as minimally and precisely as possible):

Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6

RUN zypper in -y --no-recommends python311-certifi=2023.7.22-150400.12.6.2

ENTRYPOINT [""]
CMD ["bash"]

Build an image from Dockerfile
$ docker build --network=host -t "suse15.5_certifi:v1" .

Verify package in the container
$ docker run -it suse15.5_certifi:v1 bash

OS ecosystem:
rpm -qa | grep certifi
python311-certifi-2023.7.22-150400.12.6.2.noarch

Run Syft
$ syft suse15.5_certifi:v1 | grep -i certifi
ca-certificates 2+git20240416.98ae794-150300.4.3.3 rpm
ca-certificates-mozilla 2.74-150200.41.1 rpm
certifi 2023.7.22 python
python311-certifi 2023.7.22-150400.12.6.2 rpm

Test with Grype
$ grype --distro sles:15.5 suse15.5_certifi:v1 | grep -i certifi
certifi 2023.7.22 2024.7.4 python GHSA-248v-346w-9cwc Low 21.2% (95th) 6.4 (Problem reproduced)

Environment:

Output of grype version: 0.104.0
OS (e.g: cat /etc/os-release or similar):
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingpackage-overlapIssues where two packages, e.g. a pypi package and an RPM, own overlapping files

    Type

    No type

    Projects

    OSS

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions