False positive findings in Grype

[ashu4]

What happened:
Few CVEs (CVE-2023-32681,GHSA-v8gr-m533-ghj9,CVE-2024-37891,GHSA-jm77-qphf-c4w8,GHSA-5cpq-8wj7-hf2v,CVE-2024-35195,CVE-2025-50181,CVE-2024-0727,CVE-2023-23931,CVE-2020-25658,CVE-2024-47081) are already fixed in the product still Grype is falsely reporting them

What you expected to happen:
Fix CVEs should not be reported by Grype tool. Remove these false positive from being reported in grype.

How to reproduce it (as minimally and precisely as possible):
Output is attached

Anything else we need to know?:
CVE-2023-32681
Justification for False positive: This vulnerability is specific to python3-requests package. Product includes python3-requests >= 2.24.0-150300.3.3.1 where fix of this vulnerability is already included. Hence considering this vulnerability as false positive.
Scanner is identifying this vulnerability by reading package name from text file although product include updated python3-requests package that include the fix.

GHSA-v8gr-m533-ghj9
Justification for False positive: This vulnerability is specific to cryptography library of openssl package. Product includes libopenssl3-3.2.3-150700.5.21.1 and libopenssl1_1-1.1.1w-150700.11.6.1 where fix of this vulnerability is already included.
Scanner is identifying this vulnerability by reading package name from text file although product include updated openssl package that include the fix.

CVE-2024-37891
Justification for False positive: This vulnerability is specific to python3-urllib3 package. Product includes python3-urllib3 >= 1.25.10-150300.4.12.1 where fix of this vulnerability is already included. Hence considering this vulnerability as false positive.
Scanner is identifying this vulnerability by reading package name from text file although product include updated python3-urllib3 package that include the fix.

GHSA-jm77-qphf-c4w8
Justification for False positive: This vulnerability is specific to cryptography library of openssl package. Product includes libopenssl3-3.2.3-150700.5.21.1 and libopenssl1_1-1.1.1w-150700.11.6.1 where fix of this vulnerability is already included.
Scanner is identifying this vulnerability by reading package name from text file although product include updated openssl package that include the fix.

GHSA-5cpq-8wj7-hf2v
Justification for False positive: This vulnerability is specific to cryptography library of openssl package. Product includes libopenssl3-3.2.3-150700.5.21.1 and libopenssl1_1-1.1.1w-150700.11.6.1 where fix of this vulnerability is already included.
Scanner is identifying this vulnerability by reading package name from text file although product include updated openssl package that include the fix.

CVE-2024-35195
Justification for False positive: This vulnerability is specific to python3-requests package. Product includes python3-requests >= 2.25.1-150300.3.9.1 where fix of this vulnerability is already included. Hence considering this vulnerability as false positive.
Scanner is identifying this vulnerability by reading package name from text file although product include updated python3-requests package that include the fix.

CVE-2025-50181
Justification for False positive: This vulnerability is specific to python3-urllib3 package. Product includes python3-urllib3 >= 1.25.10-150300.4.18.1 where fix of this vulnerability is already included. Hence considering this vulnerability as false positive.
Scanner is identifying this vulnerability by reading package name from text file although product include updated python3-urllib3 package that include the fix.

CVE-2024-0727
Justification for False positive: This vulnerability is specific to cryptography library of openssl package. Product includes libopenssl3-3.2.3-150700.5.21.1 and libopenssl1_1-1.1.1w-150700.11.6.1 where fix of this vulnerability is already included.
Scanner is identifying this vulnerability by reading package name from text file although product include updated openssl package that include the fix.

CVE-2023-23931
Justification for False positive: This vulnerability is specific to python3-cryptography package. Product includes python3-cryptography >= 3.3.2-150400.16.6.1 where fix of this vulnerability is already included. Hence considering this vulnerability as false positive.
Scanner is identifying this vulnerability by reading package name from text file although product include updated python3-cryptography package that include the fix.

CVE-2020-25658
Justification for False positive: This vulnerability is specific to python3-rsa package. Product includes python3-rsa-3.4.2-150000.3.10.1 where fix of this vulnerability is already included.
Scanner is identifying this vulnerability by reading package name from text file although product include updated python3-rsa package that include the fix.

CVE-2024-47081
Justification for False positive: This vulnerability is specific to python3-requests package. Product includes python3-requests >= 2.25.1-150300.3.15.1 where fix of this vulnerability is already included. Hence considering this vulnerability as false positive.
Scanner is identifying this vulnerability by reading package name from text file although product include updated python3-requests package that include the fix.

Environment:

Output of grype version: 0.107.1
OS (e.g: cat /etc/os-release or similar): SLES 15 SP7

Anchore_Grype_Scanner_Output.txt

[willmurphyscode]

Hi @ashu4 thanks for the issue! These are some great test cases for our efforts to improve SLES matching in Grype.