Skip to content

False Positive: GHSA-248v-346w-9cwc (CVE-2024-39689) certifi coming from Python ecosystem #3083

New issue
New issue
Open
Open
False Positive: GHSA-248v-346w-9cwc (CVE-2024-39689) certifi coming from Python ecosystem#3083
Labels
bugSomething isn't working
@etarast

Description

@etarast
etarast
opened on Dec 2, 2025

What happened:

Scan on image that has python311-certifi-2023.7.22-150400.12.6.2.noarch installed.

It generates this vulnerability:

certifi 2023.7.22 2024.7.4 python GHSA-248v-346w-9cwc Low 21.2% (95th) 6.4

What you expected to happen:

According to Github Advisory GHSA-248v-346w-9cwc it should be patched to 2024.7.4
BUT
According to SUSE Advisory https://www.suse.com/security/cve/CVE-2024-39689.html it is "Not affected"
QUESTION:
Shouldn't be Grype take decision based on OS vendor in this case?

SUSE Linux Enterprise Server 15 SP5
python-certifi Not affected

Installed version in the container: python311-certifi-2023.7.22-150400.12.6.2.noarch

Conclusion:
SUSE Advisory shown "Not affected"
The container image is using the same version python311-certifi-2023.7.22-150400.12.6.2.noarch
The requirement from SLES 15 SP5 is already met, hence, the vulnerability here is a false positive.
At the OS ecosystem, we are at the right recommended level.

If OS vendor applied patch:
A) Will it override programming language,?
B) Can Grype ignore module found in Python ecosystem?

How to reproduce it (as minimally and precisely as possible):

Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6

RUN zypper in -y --no-recommends python311-certifi=2023.7.22-150400.12.6.2

ENTRYPOINT [""]
CMD ["bash"]

Build an image from Dockerfile
$ docker build --network=host -t "suse15.5_certifi:v1" .

Verify package in the container
$ docker run -it suse15.5_certifi:v1 bash

OS ecosystem:
rpm -qa | grep certifi
python311-certifi-2023.7.22-150400.12.6.2.noarch

Run Syft
$ syft suse15.5_certifi:v1 | grep -i certifi
ca-certificates 2+git20240416.98ae794-150300.4.3.3 rpm
ca-certificates-mozilla 2.74-150200.41.1 rpm
certifi 2023.7.22 python
python311-certifi 2023.7.22-150400.12.6.2 rpm

Test with Grype
$ grype --distro sles:15.5 suse15.5_certifi:v1 | grep -i certifi
certifi 2023.7.22 2024.7.4 python GHSA-248v-346w-9cwc Low 21.2% (95th) 6.4 (Problem reproduced)

Environment:

Output of grype version: 0.104.0
OS (e.g: cat /etc/os-release or similar):
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions