Thanks to visit codestin.com
Credit goes to github.com

Skip to content

False Positive: GHSA-pq67-6m6q-mj2v (CVE-2025-50181) GHSA-34jh-p97f-mpxf ( CVE-2024-37891) urllib3 coming from Python ecosystem #2978

New issue
New issue
Open
Open
False Positive: GHSA-pq67-6m6q-mj2v (CVE-2025-50181) GHSA-34jh-p97f-mpxf ( CVE-2024-37891) urllib3 coming from Python ecosystem#2978
Labels
bugSomething isn't workingfalse-positivepackage-overlapIssues where two packages, e.g. a pypi package and an RPM, own overlapping files
@sekveaja

Description

@sekveaja
sekveaja
opened on Oct 6, 2025

What happened:

Scan on image that has python311-urllib3-2.0.7-150400.7.21.1.noarch installed.

It generates this vulnerability:

urllib3 2.0.7 2.5.0 python GHSA-pq67-6m6q-mj2v Medium < 0.1% (2nd) < 0.1

What you expected to happen:

According to SUSE Advisory CVE-2025-50181

See with this link: https://www.suse.com/security/cve/CVE-2025-50181.html

SUSE Linux Enterprise Server 15 SP6
python3-urllib3 >= 1.25.10-150300.4.18.1
python311-urllib3 >= 2.0.7-150400.7.21.1

Installed version in the container: python311-urllib3-2.0.7-150400.7.21.1.noarch

Conclusion:
SUSE Advisory shown fixed from version python311-urllib3 >= 2.0.7-150400.7.21.1
The container image is using the same version python311-urllib3-2.0.7-150400.7.21.1.noarch
The minimum requirement from SLES 15 SP6 is already met, hence, the vulnerability here is a false positive.
At the OS ecosystem, we are at the right recommended level.

However, in Python ecosystem, Syft sees the base version 2.0.7.
And this, probably cause Grype to issue a vulnerability.

If OS vendor applied patc:
A) Will it override programming language,?
B) Can Grype ignore module found in Python ecosystem?

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.6

RUN zypper in -y --no-recommends python311-urllib3=2.0.7-150400.7.21.1
RUN zypper in -y --no-recommends python311-pip=22.3.1-150400.17.16.4

ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build --network=host -t "suse15.6_python311-urllib3:v1" .

  1. Verify package in the container

$ docker run -it suse15.6_python311-urllib3i:v1 bash

OS ecosystem:

rpm -qa | grep urllib3

python311-urllib3-2.0.7-150400.7.21.1.noarch

Python311 ecosystem:

pip3.11 list

Package Version

certifi 2023.7.22
cffi 1.15.1
cryptography 41.0.3
idna 3.4
pip 22.3.1
pycparser 2.21
pyOpenSSL 23.2.0
setuptools 67.7.2
urllib3 2.0.7 <---- CVE is coming from Python ecosystem due of versioning

  1. Run Syft

$ syft suse15.6_python311_urllib3:v1 | grep urllib3
python311-urllib3 2.0.7-150400.7.21.1 rpm
urllib3 2.0.7 python

  1. Test with Grype

$ grype suse15.6_python311_urllib3:v1 | grep urllib3

urllib3 2.0.7 2.2.2 python GHSA-34jh-p97f-mpxf Medium 0.1% (35th) < 0.1
urllib3 2.0.7 2.5.0 python GHSA-pq67-6m6q-mj2v Medium < 0.1% (2nd) < 0.1 (Problem reproduced)

Environment:

  • Output of grype version: 0.99.1
  • OS (e.g: cat /etc/os-release or similar):

NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingfalse-positivepackage-overlapIssues where two packages, e.g. a pypi package and an RPM, own overlapping files

    Type

    No type

    Projects

    OSS

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions