Skip to content

feat: ignore overlapping fixed vulns for rpm + more#3326

Draft
kzantow wants to merge 11 commits intoanchore:mainfrom
kzantow-anchore:feat/ignore-rpm-fixed
Draft

feat: ignore overlapping fixed vulns for rpm + more#3326
kzantow wants to merge 11 commits intoanchore:mainfrom
kzantow-anchore:feat/ignore-rpm-fixed

Conversation

@kzantow
Copy link
Copy Markdown
Contributor

@kzantow kzantow commented Mar 30, 2026
edited
Loading

After #3286, which ignores fixed vulnerabilities by overlapping file path and ownership-by-file-overlap relationship, this PR follows-on based on the #3286 changes from for RPM and other matchers. This PR (as well as the alternate implementation in #3304) have the result of fixing quite a lot of the reported SLES issues where we have fixed information for specific RPM packages but the Python packages result in the same vulnerability.

An example using SLES 15.6 and urllib3 (with docker build -t suse-overlap:latest):

FROM registry.suse.com/suse/sle15:15.6

RUN zypper install -l -y python3 python3-pip
RUN zypper install -l -y python311

RUN zypper in -y --no-recommends python311-urllib3=2.0.7-150400.7.21.1
RUN python3 -m pip install urllib3==1.25.11

ENTRYPOINT [""]
CMD ["bash"]

Based on the vulnerabilities in the Grype database for 15.6:

$ grype db search python311-urllib3 --distro sles:15.6   
VULNERABILITY   PACKAGE            ECOSYSTEM  NAMESPACE              VERSION CONSTRAINT       
CVE-2016-9015   python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2018-20060  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2019-11236  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2019-11324  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2019-9740   python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2020-26137  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2021-33503  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2023-43804  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2023-45803  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.11.1  
CVE-2024-37891  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.18.1  
CVE-2025-50181  python311-urllib3  rpm        sles:distro:sles:15.6  < 0:2.0.7-150400.7.21.1

Current grype reports:

$ grype -v suse-overlap:latest --by-cve -q | grep urllib3
urllib3                     1.25.11                 1.26.5                         python     CVE-2021-33503       High      0.9% (75th)    0.7    
urllib3                     1.25.11                 1.26.17                        python     CVE-2023-43804       High      0.9% (75th)    0.6    
urllib3                     1.25.11                 1.26.19                        python     CVE-2024-37891       Medium    0.3% (49th)    0.1    
urllib3                     2.0.7                   2.2.2                          python     CVE-2024-37891       Medium    0.3% (49th)    0.1    
urllib3                     1.25.11                 1.26.18                        python     CVE-2023-45803       Medium    < 0.1% (15th)  < 0.1  
urllib3                     1.25.11                 2.6.0                          python     CVE-2025-66418       High      < 0.1% (8th)   < 0.1  
urllib3                     2.0.7                   2.6.0                          python     CVE-2025-66418       High      < 0.1% (8th)   < 0.1  
urllib3                     1.25.11                 2.6.0                          python     CVE-2025-66471       High      < 0.1% (7th)   < 0.1  
urllib3                     2.0.7                   2.6.0                          python     CVE-2025-66471       High      < 0.1% (7th)   < 0.1  
urllib3                     1.25.11                 2.6.3                          python     CVE-2026-21441       High      < 0.1% (7th)   < 0.1  
urllib3                     2.0.7                   2.6.3                          python     CVE-2026-21441       High      < 0.1% (7th)   < 0.1  
urllib3                     1.25.11                 2.5.0                          python     CVE-2025-50181       Medium    < 0.1% (7th)   < 0.1  
urllib3                     2.0.7                   2.5.0                          python     CVE-2025-50181       Medium    < 0.1% (7th)   < 0.1

This branch reports:

$ go run ./cmd/grype -v suse-overlap:latest --by-cve -q | grep urllib3
urllib3                     1.25.11                 1.26.5                         python     CVE-2021-33503       High      0.9% (75th)    0.7    
urllib3                     1.25.11                 1.26.17                        python     CVE-2023-43804       High      0.9% (75th)    0.6    
urllib3                     1.25.11                 1.26.19                        python     CVE-2024-37891       Medium    0.3% (49th)    0.1    
urllib3                     1.25.11                 1.26.18                        python     CVE-2023-45803       Medium    < 0.1% (15th)  < 0.1  
urllib3                     1.25.11                 2.6.0                          python     CVE-2025-66418       High      < 0.1% (8th)   < 0.1  
urllib3                     2.0.7                   2.6.0                          python     CVE-2025-66418       High      < 0.1% (8th)   < 0.1  
urllib3                     1.25.11                 2.6.0                          python     CVE-2025-66471       High      < 0.1% (7th)   < 0.1  
urllib3                     2.0.7                   2.6.0                          python     CVE-2025-66471       High      < 0.1% (7th)   < 0.1  
urllib3                     1.25.11                 2.6.3                          python     CVE-2026-21441       High      < 0.1% (7th)   < 0.1  
urllib3                     2.0.7                   2.6.3                          python     CVE-2026-21441       High      < 0.1% (7th)   < 0.1  
urllib3                     1.25.11                 2.5.0                          python     CVE-2025-50181       Medium    < 0.1% (7th)   < 0.1

Note the removal of:

urllib3                     2.0.7                   2.2.2                          python     CVE-2024-37891       Medium    0.3% (49th)    0.1    
urllib3                     2.0.7                   2.5.0                          python     CVE-2025-50181       Medium    < 0.1% (7th)   < 0.1

These 2 vulnerabilities are reported in the SUSE data as fixed for the installed version, while the separate 1.25.11 version which was not installed via SUSE's package manager retains its vulnerabilities.

kzantow added 10 commits March 30, 2026 15:31
@kzantow
feat: ignore overlapping fixed vulns for rpm + more
1c26bb5 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: update tests
c9e50b1 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
fix: filterVulns should update version in match details
6907ec1 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
fix: vulnerability provider constraint creation without version speci…
445ca53 
…fied

Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
perf: make relationships by overlapping locations
cc44061 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
15dfdd5
@kzantow
chore: update tests
31a562d 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: update match labels
840ea16 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
a508b09
@kzantow
Merge remote-tracking branch 'upstream/main' into feat/ignore-rpm-fixed
31a8adf
@kzantow kzantow mentioned this pull request Apr 10, 2026
Open
@kzantow
fix: align vuln filter with vuln provider constraint filtering when e…
e5d3168 
…rror

Signed-off-by: Keith Zantow <kzantow@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kzantow