False positive:GHSA-wf44-4mgj-rwvx( CVE-2015-3221) neutron 17.x.x, recommend fixed with 2014.x older versioning convention

[sekveaja]

IDs

GHSA-wf44-4mgj-rwvx( CVE-2015-3221)

Description

Scan on image that has python3-neutron-17.1.3.dev3-1000.R12A04.noarch installed.
It generates vulnerabilities:

neutron (PKG-INFO) │ CVE-2015-3221 │ MEDIUM │ fixed │ 17.3.0 │ 2014.2.4, 2015.1.1 │ openstack-neutron: L2 agent DoS through incorrect allowed │

OpenStack changed versioning system between Kilo and Liberty in 2015. Up to Kilo they used the year as a base resulting in 20xx.x.x versions. From Liberty they started to use semantic versioning in every project.
This resulted lower version numbers for the newer projects that the tools cannot handle now.
e.g. Neutron became 7.0.0 in Liberty after the 2015.1.4 Kilo version

https://releases.openstack.org/liberty/index.html
https://releases.openstack.org/kilo/index.html

The recommend fixed refer to 2014.2.4, 2015.1.1 which is old version naming convention. We are using 17.x.x which the new version convention.
We believe this is a bug or false positive.

Attached is spec file for reproduction
neutron.spec.txt

Reproduction Steps

A) Setup build environment
$sudo dnf install rpm-build rpmdevtools git python3-devel

B) Create the RPM Build Environment
$ rpmdev-setuptree

C) Download source code with specific version.
$ cd ~/rpmbuild/SOURCES
$ wget https://tarballs.opendev.org/openstack/neutron/neutron-17.3.0.tar.gz

D) Get spec file provided and store to  ~/rpmbuild/SPECS
$ mv neutron.spec,txt ~/rpmbuild/SPECS/neutron.spec

E) Build the RPM
rpmbuild -ba ~/rpmbuild/SPECS/neutron.spec

Note:  If the build is successful, the RPM package will be located in ~/rpmbuild/RPMS/noarch/.

F) Verify the RPM file
$ ls ~/rpmbuild/RPMS/noarch/
neutron-17.3.0-1.el8.noarch.rpm

G) Apply Checksum on the RPM file
$ cd ~/rpmbuild/RPMS/noarch/
$ sha256sum neutron-17.3.0-1.el8.noarch.rpm > neutron-17.3.0-1.el8.noarch.rpm.sha256

H) Edit Dockerfile and add as followed:

   FROM registry.suse.com/suse/sle15:15.5

   COPY neutron-17.3.0-1.el8.noarch.rpm /tmp/
   COPY neutron-17.3.0-1.el8.noarch.rpm.sha256 /tmp/
   RUN cd /tmp && sha256sum -c neutron-17.3.0-1.el8.noarch.rpm.sha256

   RUN rpm -ivh --nodeps /tmp/neutron-17.3.0-1.el8.noarch.rpm

   ENTRYPOINT [""]
   CMD ["bash"]

I)  Build a custom image for test

$ docker build -t "suse15.5_python3-neutron:v1"

J) Test with Trivy on custom image

$ trivy image suse15.5_python3-neutron:v1

 neutron (PKG-INFO) │ CVE-2015-3221 │ MEDIUM   │ fixed    │ 17.3.0            │ 2014.2.4, 2015.1.1     │ openstack-neutron: L2 agent DoS through incorrect allowed   │
│                    │               │          │          │                   │                        │ address pairs                                               │
│                    │               │          │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2015-3221                   │

Target

Container Image

Scanner

Vulnerability

Target OS

SUSE 15 SP5

Debug Output

Please try with reproduction step.

Version

Version: 0.57.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @sekveaja
Unfortunately, we cannot anticipate all cases when libraries change their versioning style.

Trivy has options for ignoring and filtering vulnerabilities.
Although in your case I would suggest writing a small module that would handle vulnerabilities for a specific library.

Regards, Dmitriy