anchore-engine
anchore-engine copied to clipboard
Incorrect reporting of vulnerability against non fips package
Is this a request for help?:
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG
Version of Anchore Engine and Anchore CLI if applicable:
What happened:
Anchore incorrectly reports vulnerability against non-fips packages
"package": "libgcrypt-1.8.5-6.el8",
"package_cpe": "None",
"package_cpe23": "None",
"package_name": "libgcrypt",
"package_path": "pkgdb",
"package_type": "rpm",
"package_version": "1.8.5-6.el8",
"severity": "Medium",
"url": "https://linux.oracle.com/errata/ELSA-2022-9263.html",
"vendor_data": [],
"vuln": "ELSA-2022-9263",
"package": "gnutls-3.6.16-4.el8",
"package_cpe": "None",
"package_cpe23": "None",
"package_name": "gnutls",
"package_path": "pkgdb",
"package_type": "rpm",
"package_version": "3.6.16-4.el8",
"severity": "Medium",
"url": "https://linux.oracle.com/errata/ELSA-2022-9221.html",
"vendor_data": [],
"vuln": "ELSA-2022-9221",
"will_not_fix": false
These issues are meant or fips enabled packages What did you expect to happen:
Any relevant log output from /var/log/anchore:
What docker images are you using:
How to reproduce the issue:
Anything else we need to know:
The fix for this is, for packages with _fips
in the version string, scanning against ELSAs for versions also containing _fips
, and skipping those advisories for packages that don't have the _fips
version tag.
I explained this in detail to the Trivy project here; this advice also applies to Anchore. If you have any additional questions, my contact info is in that issue comment: https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400