False positive on a custom image with custom python package

Hi, I have built a custom python alpine image with my own glibc compiled on it. Then I compiled all python packages on top. Basically got rid of all musl based dependencies.
Now, when I run grype on this image, it still reports CVE-2024-9287. My current version of python (3.13) has this vulnerability fixed. Other scanners like trivy, docker scout, snyk do NOT report this CVE.
I wonder why would grype keep reporting it. I waited a while thinking the grype db might need an update but seems like it has been updated for this CVE but I continue to see this for my image which is a false positive.

NAME     INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
python3  3.13.0-r0            apk   CVE-2024-9287  Unknown

I would appreciate any insight here. Thanks in advance. What additional info should I include here for someone to help debug this?

Hi @tony-oss-titan

It looks like Grype is reporting your Python as affected because there’s no fix for this vulnerability.

If we look at the python issue

It looks like the fix was applied to all branches at the beginning of November

If we look at the Python releases page

Python 3.13.0 was released in October

I imagine the next python version will contain this fix, but for the moment, all upstream versions of python are vulnerable

They have just released new versions of python that address this (along with some others), so I will get our data updated today which means they’ll be in the grype database for tomorrow

Thanks @westonsteimel. Please let me know if this vul was added to grype db. I can run a test to confirm