Possible FP - CVE-2020-1747 in amazon image

[TimBrown1611]

IDs

CVE-2020-1747

Description

I scanned an image and got CVE-2020-1747
At first look it seems alright, since the version of the python package is indeed vulnerable.
But, this image is based on amazon so I've also looked at their website and saw this CVE is not effected.
here is the link -
https://explore.alas.aws.amazon.com/CVE-2020-1747.html

I don't see any information about the "explore" page of this advisory.

Reproduction Steps

1. here is the Dockerfile:
FROM amazonlinux:2023.5.20240624.0@sha256:5bf791027b4659e73c33a88a3fa2b314b8e2c0ee60cb1088a097171ee7f180db

# Update repositories and install necessary packages
RUN yum update -y && \
    yum install -y tar gzip python3-pip gcc python3-devel

# Download and install PyYAML 5.1.1 from source
RUN curl -L -o PyYAML-5.1.1.tar.gz https://github.com/yaml/pyyaml/archive/refs/tags/5.1.1.tar.gz && \
    tar -xzf PyYAML-5.1.1.tar.gz && \
    cd pyyaml-5.1.1 && \
    python3 setup.py install && \
    cd .. && \
    rm -rf PyYAML-5.1.1.tar.gz pyyaml-5.1.1

# Optionally, you can list installed packages to confirm
RUN pip3 show PyYAML

2. docker build -t <image_name> <path_to_Dockerfike>
3. docker save -o <image_name>.tar <image_name>
4. trivy image --input <image_name>.tar --debug
...

Target

Container Image

Scanner

Vulnerability

Target OS

Amazon 2023

Debug Output

4-08-18T10:33:27+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-18T10:33:27+03:00	DEBUG	Ignore statuses	statuses=[]
2024-08-18T10:33:27+03:00	INFO	[db] Need to update DB
2024-08-18T10:33:27+03:00	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
51.57 MiB / 51.57 MiB [----------------------------------------------------------------------------] 100.00% 16.10 MiB p/s 3.4s
2024-08-18T10:33:34+03:00	DEBUG	Updating database metadata...
2024-08-18T10:33:34+03:00	DEBUG	DB info	schema=2 updated_at=2024-08-18T06:11:24.248308265Z next_update=2024-08-18T12:11:24.248307875Z downloaded_at=2024-08-18T07:33:34.04139Z
2024-08-18T10:33:34+03:00	DEBUG	[pkg] Package types	types=[os library]
2024-08-18T10:33:34+03:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-08-18T10:33:34+03:00	INFO	[vuln] Vulnerability scanning is enabled
2024-08-18T10:33:34+03:00	INFO	[secret] Secret scanning is enabled
2024-08-18T10:33:34+03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-18T10:33:34+03:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-18T10:33:34+03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-18T10:33:34+03:00	DEBUG	Initializing scan cache...	type="fs"
2024-08-18T10:33:34+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-08-18T10:33:34+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-08-18T10:33:34+03:00	DEBUG	[image] Detected image ID	image_id="sha256:a29be49010478425fedf2bfda1b6b41c6b068fc980c5985116e85dd7a1cfeeb6"
2024-08-18T10:33:34+03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:3271a3db7c91e2e34af372135a862abc1bac9c36a997ea9c379bb3535a7d2bb2 sha256:78f3ac95fa59e28a522f4f8adb035288d50ccbe3b7393b003dc7cb2f7ac88eef sha256:ddb50b36a364e2e00eb05bdbcb40bcc744681948cb7240649f3980a70147c014 sha256:938452a0599c7c1e24075c9f8caab3a2e68f925d69704bafefe0f484bd91aeb1]
2024-08-18T10:33:34+03:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:3271a3db7c91e2e34af372135a862abc1bac9c36a997ea9c379bb3535a7d2bb2]
2024-08-18T10:33:34+03:00	INFO	Detected OS	family="amazon" version="2023.5.20240624 (Amazon Linux)"
2024-08-18T10:33:34+03:00	INFO	[amazon] Detecting vulnerabilities...	os_version="2023" pkg_num=149
2024-08-18T10:33:34+03:00	INFO	Number of language-specific files	num=1
2024-08-18T10:33:34+03:00	INFO	[python-pkg] Detecting vulnerabilities...
2024-08-18T10:33:34+03:00	DEBUG	[python-pkg] Scanning packages for vulnerabilities	file_path=""
2024-08-18T10:33:34+03:00	DEBUG	[vex] VEX filtering is disabled

Version

0.54.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @TimBrown1611
Thanks for your report!

RUN curl -L -o PyYAML-5.1.1.tar.gz https://github.com/yaml/pyyaml/archive/refs/tags/5.1.1.tar.gz && \

You install package from source code, so this package is vulnerable.

saw this CVE is not effected.

Vendors OS fix vulnerabilities for their packages (to get these fixed packages - you need to install packages from yum).
In this case you need to install PyYAML from yum. Then you got not vulnerable package and Trivy will use Amazon DB to detect vulns (see https://aquasecurity.github.io/trivy/v0.54/docs/scanner/vulnerability/#data-source-selection)

Regards, Dmitriy