Duplicate CVE and GHSA vulnerabilities being reported to Anchore reports for the same package

[ssthom]

Is this a request for help?: Yes

---

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): Bug Report

Version of Anchore Engine and Anchore CLI if applicable: Currently on:

Engine DB Version: 0.0.14
Engine Code Version: 0.9.4

Was on:

Engine Code Version: 0.9.1
(Not sure on DB Version)

What happened: We are seeing an issue where we are seeing duplicate CVE and GHSA reported for the same package and the same vulnerability. It wasn’t happening in 0.9.1 but since we upgraded to 0.9.4 it seems to be reporting both causing our builds to break as the dev teams originally only had the CVE suppressed. Was there a regression in one of the recent versions to cause this? Or is this a feature that was broken between those two versions?

Example: https://nvd.nist.gov/vuln/detail/CVE-2021-29425 and https://github.com/advisories/GHSA-gwrp-pvrq-jmwv

What did you expect to happen:

See above

Any relevant log output from /var/log/anchore: N/A

What docker images are you using: N/A - All images

How to reproduce the issue:

Scan any image with both a GHSA and CVE vulnerability

Anything else we need to know:

[zhill]

Thanks @ssthom we'll take a look. Is there a specific public image we can verify exactly what you're seeing against?

We've made changes in this area already for the 0.10.0 release expected soon, so this may already be addressed so we'll confirm status with the current dev builds as well as the release you're reporting it on.

[zhill]

To clarify, the db version would not have changed between 0.9.1 and 0.9.4.

[zburstein]

@ssthom Is there an example image that you can provide us with to help us verify the cause of the issue you are seeing?