False Positive: cve-2024-53899 RockyLinux #3130
Description
What happened:
Grype still finds CVE-2024-53899 on patched rockylinux
MatchDetails from grype output
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "rpm-matcher",
"searchedBy": {
"distro": {
"type": "rockylinux",
"version": ""
},
"package": {
"name": "python36",
"version": "0:3.6.8-39.module+el8.10.0+1910+234ad790"
},
"namespace": "redhat:distro:redhat:8"
},
"found": {
"vulnerabilityID": "CVE-2024-53899",
"versionConstraint": "< 0:3.6.8-39.module+el8.10.0+20784+edafcd43 (rpm)"
},
"fix": {
"suggestedVersion": "0:3.6.8-39.module+el8.10.0+20784+edafcd43"
}
}
],
installed version is "3.6.8-39.module+el8.10.0+1910+234ad790" but rhel patched it in "3.6.8-39.module+el8.10.0+20784+edafcd43"
red hat https://access.redhat.com/errata/RHSA-2024:10953 confirms "3.6.8-39.module+el8.10.0+20784+edafcd43" is the fixed ver, rocky linux uses a different build though
rocky website https://errata.rockylinux.org/RLSA-2024:10953 shows fix in "python36-3.6.8-39...+1592", user has +1910 so it's newer, confirmed false post
in grype source code, explicitly match rockylinux with the rhel db , so I have no idea how could fix this?
1-write new matcher for rockylinux (something like almalinux)
2-add rule to db and override until rhel db get update
3-anything else?