False positive: GHSA-jjg7-2v4v-x38h (CVE-2024-3651) in SLES 15.6 and 15.5 Ecosystem cause by Syft noise with extra reference

[sekveaja]

What happened:

Scan on image that has python3-idna-2.6-150000.3.3.1.noarch installed.
It generates high vulnerability:

$ grype --distro sles:15.6 <custom_image> | grep idna

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
idna 2.6 3.7 python GHSA-jjg7-2v4v-x38h Medium

**What you expected to happen:

See with this link: https://www.suse.com/security/cve/CVE-2024-3651.html
SUSE advisory for GHSA-jjg7-2v4v-x38h (CVE-2024-3651)
SUSE Linux Enterprise Module for Basesystem 15 SP6
python3-idna >= 2.6-150000.3.3.1

When running Syft on the custom image, you would get 2 entries:

idna 2.6 python (noise)
python3-idna 2.6-150000.3.3.1 rpm

The rpm installed in the image is python3-idna-2.6-150000.3.3.1, because of Syft provide another entry idna (2.6), I believe this lead Grype to generate vulnerability which believe version 2.6 does not meet the OS level patch 2.6-150000.3.31.
Therefore, generate a false positive.

How to reproduce it (as minimally and precisely as possible):

1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends python3-idna=2.6-150000.3.3.1
ENTRYPOINT [""]
CMD ["bash"]

2. Build an image from Dockerfile

$ docker build -t "suse15.6_python3-idna:v1" .

3. Test with Grype now

$ grype --distro sles:15.6 suse15.6_python3-idna:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
idna 2.6 3.7 python GHSA-jjg7-2v4v-x38h Medium (problem is reproduced)

Environment:

• Output of grype version: grype 0.83.0

• OS (e.g: cat /etc/os-release or similar):

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"