Hi,
I’ve installed Rocky Linux 8.10 from DVD iso and then updated it. Then I made a SBOM and analyzed it with Snyk. Snyk complained about critical vulnerability (9.8 score) in PyYaml package v 3.12 Arbitrary Code Execution in pyyaml | CVE-2017-18342 | Snyk
By manual investigation I can confirm that this package is indeed installed.
$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="8.10 (Green Obsidian)"
$ dnf check-update
Last metadata expiration check: 0:17:03 ago on Mon 14 Oct 2024 10:27:49 AM EDT.
$ dnf list installed | grep yaml
libyaml.x86_64 0.1.7-5.el8 @anaconda
python3-pyyaml.x86_64 3.12-12.el8 @anaconda
$ pip3 list | grep PyYAML
PyYAML (3.12)
Simpy uninstall this package is not an option, since it is required by quite a lot of other packages.
$ dnf repoquery --whatrequires python3-pyyaml.x86_64
Last metadata expiration check: 0:25:39 ago on Mon 14 Oct 2024 10:27:49 AM EDT.
cloud-init-0:23.4-7.el8_10.0.1.noarch
cloud-init-0:23.4-7.el8_10.3.0.1.noarch
cloud-init-0:23.4-7.el8_10.7.0.1.noarch
cloud-init-0:23.4-7.el8_10.8.0.1.noarch
modulemd-tools-0:0.7-8.el8.noarch
nfs-utils-1:2.3.3-59.el8.x86_64
python3-libnmstate-0:1.4.5-2.el8_9.noarch
python3-libnmstate-0:1.4.6-2.el8_10.noarch
python3-libnmstate-0:1.4.6-4.el8_10.noarch
python3-networkx-core-0:1.11-16.1.el8.noarch
python3-pywbem-0:0.11.0-8.el8.noarch
tpm2-pkcs11-tools-0:1.6.0-1.el8.x86_64
vdo-0:6.2.9.7-14.el8.x86_64
virt-who-0:1.30.16-1.el8.noarch
Should I be concerned about this vulnerability report, or do I misinterpret something?