False positive:GHSA-q748-mcwg-xmqv(CVE-2015-5251), GHSA-gvjg-r9fv-7qx9(CVE-2015-5286) glance 21.x.x, recommend fixed with 2014.x older versioning convention

[sekveaja]

What happened:
Scan on image that has python3-glance-21.1.1~dev7-150000.1.154.noarch installed.
It generates vulnerabilities:

$ grype --distro sles:15.5 <custom_image> | grep glance

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
glance 21.1.1.dev7 python GHSA-r4v4-w9pv-6fph High
glance 21.1.1.dev7 2014.2.4 python GHSA-q748-mcwg-xmqv Medium CVE-2015-5251
glance 21.1.1.dev7 2014.2.4 python GHSA-gvjg-r9fv-7qx9 Medium CVE-2015-5286
glance 21.1.1.dev7 23.0.1 python GHSA-7h75-hwxx-qpgc Medium
glance 21.1.1.dev7 python GHSA-5gp5-vxj6-4257 Low

What you expected to happen:

   OpenStack changed versioning system between Kilo and Liberty in 2015. Up to Kilo they used the year as a base resulting in 20xx.x.x versions. From Liberty they started to use semantic versioning in every project. 
   This resulted lower version numbers for the newer projects that the tools cannot handle now. 
   e.g. Glance became 11.0.0 in Liberty after the  2015.1.4 Kilo version
    
   https://releases.openstack.org/liberty/index.html
   https://releases.openstack.org/kilo/index.html

Vulnerability GHSA-q748-mcwg-xmqv and GHSA-gvjg-r9fv-7qx9 may applied for Openstack package (Kilo) that is released before 2015.
We use version 21.1..x that is aligned with new versioning convention, hence, this is a false positive.

How to reproduce it (as minimally and precisely as possible):

There is no public repository that has this package python3-glance-21.1.1~dev7-150000.1.1542.noarch.
However, there is a public tar file that can be downloaded and reproduce the issue.

1. Download the tar file from the pubic repo https://tarballs.opendev.org/openstack/
   artifact we can try scanning

$ wget https://tarballs.opendev.org/openstack/glance/glance-21.1.0.tar.gz

2. Scan the the tar file

$ grype ./glance-21.1.0.tar.gz
✔ Indexed file system /tmp/syft-archive-contents-1894997603
✔ Cataloged contents 77a448b2d615d9c21774c70367d6d63f42d710e4d9507d227402d5cbf84e087f
├── ✔ Packages [1 packages]
├── ✔ File digests [2 files]
├── ✔ File metadata [2 locations]
└── ✔ Executables [0 executables]
✔ Scanned for vulnerabilities [5 vulnerability matches]
├── by severity: 0 critical, 1 high, 3 medium, 1 low, 0 negligible
└── by status: 3 fixed, 2 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
glance 21.1.0 python GHSA-r4v4-w9pv-6fph High
glance 21.1.0 2014.2.4 python GHSA-q748-mcwg-xmqv Medium (FP is reproduced)
glance 21.1.0 2014.2.4 python GHSA-gvjg-r9fv-7qx9 Medium (FP is reproduced)
glance 21.1.0 23.0.1 python GHSA-7h75-hwxx-qpgc Medium
glance 21.1.0 python GHSA-5gp5-vxj6-4257 Low

Environment:

• Output of grype version:
  Application: grype
  Version: 0.83.0
  BuildDate: 2024-10-31T00:04:47Z
  GitCommit: 0602464
  GitDescription: v0.83.0
  Platform: linux/amd64

• OS (e.g: cat /etc/os-release or similar):
  NAME="SLES"
  VERSION="15-SP5"
  VERSION_ID="15.5"
  PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
  ID="sles"
  ID_LIKE="suse"
  ANSI_COLOR="0;32"
  CPE_NAME="cpe:/o:suse:sles:15:sp5"
  DOCUMENTATION_URL="https://documentation.suse.com/"

[willmurphyscode]

Related to #2262.