Need clarification OS Vendor vs programming langage

[sekveaja]

Description

When install an OS Vendor patched package in example SLES 15 SP6
python311-urllib3-2.0.7-150400.7.21.1.noarch.

it will install in two ecosystems, in Python and server OS.

1. In the OS ecosystem we will see,
   rpm -qa | grep urllib
   python311-urllib3-2.0.7-150400.7.21.1.noarch

2. In Python ecosystem

pip list | grep urllib

urllib3      2.0.7

For this CVE-2025-50181, NVD and Github Security Advisory recommended urllib3 > 2.5.0
If we look at Python ecosystem 2.0.7 is below the recommended version of NVD and GHSA.
If we look at SUSE ecosystem package python311-urllib3-2.0.7-150400.7.21.1.noarch has the right patch version.

When running trivy, we have no CVE reported.

Q1: Is it because at the OS level, patched has been applied where urllib3 module in Python will not generate CVE?
Q2: When you install with a package manager and it will install into 2 ecosystems, do the patch from OS ecosystem will override progamming langage (Python)?

Thank you in advance for the clarification.

Desired Behavior

See description

Actual Behavior

Se description

Reproduction Steps

1) Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6

RUN zypper in -y --no-recommends python311-urllib3=2.0.7-150400.7.21.1
RUN zypper in -y --no-recommends python311-pip=22.3.1-150400.17.16.4

ENTRYPOINT [""]
CMD ["bash"]

2) Build an image from Dockerfile
$ docker build --network=host -t "suse15.6_python3-urllib3:v1" .

Verify package in the container
$ docker run -it suse15.6_python3-urllib3:v1 bash

OS ecosystem:
rpm -qa | grep urllib3
python311-urllib3-2.0.7-150400.7.21.1.noarch   <-----

Python311 ecosystem:
pip3.11 list
Package Version

certifi 2023.7.22
cffi 1.15.1
cryptography 41.0.3
idna 3.4
pip 22.3.1
pycparser 2.21
pyOpenSSL 23.2.0
setuptools 67.7.2
urllib3 2.0.7 <----

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

┌───────────────────────────────────────────┬──────┬─────────────────┬─────────┐
│                  Target                   │ Type │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────┼──────┼─────────────────┼─────────┤
│ suse15.6_python311_urllib3:v1 (sles 15.6) │ sles │        0        │    -    │
└───────────────────────────────────────────┴──────┴─────────────────┴─────────┘

Operating System

"SLES" VERSION="15-SP6"

Version

0.66.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

hello @sekveaja
Thanks for your interest to Trivy.

You can read about OS packages and their files here: https://trivy.dev/latest/docs/scanner/vulnerability/#handling-software-installed-via-os-packages

Q2: When you install with a package manager and it will install into 2 ecosystems, do the patch from OS ecosystem will override progamming langage (Python)?

I quickly checked your image. It looks like Trivy doesn’t detect urllib3 as a language (python) package.
Could you confirm whether that image actually contains a supported file for this package?
See: https://trivy.dev/latest/docs/coverage/language/#supported-languages

Regards, Dmitriy