grype
grype copied to clipboard
anchore
False positives: package=guava, CVE-2023-2976, CVE-2020-8908, CVE-2023-2976, CVE-2020-8908
What happened: Grype is incorrectly flagging a number of CVEs against a package version which contains the fixes. The package in question is guava, and the version is v32.0.0.
The CVEs being incorrectly flagged are as follows:
If you look at the details, the vulnerable versions are flagged as being 'UP TO, EXCLUDING' v32.0.0. Additionally, you can see the contents of the v32.0.0 release here, and you'll note some of the CVEs above in the release notes as fixed: https://github.com/google/guava/releases/tag/v32.0.0.
I suspect that grype is not taking the 'excluding' into account for these particular filings.
What you expected to happen: Grype should not be reporting on the vulnerabilities
How to reproduce it (as minimally and precisely as possible):
grype quay.io/keycloak/keycloak:latest | grep guava
✔ Vulnerability DB [no update available]
✔ Loaded image quay.io/keycloak/keycloak:latest
✔ Parsed image sha256:83339b6156ef25f633e9b3c4f5f855c6bca99785c6a439724475afa10d870bdd
✔ Cataloged packages [854 packages]
✔ Scanned for vulnerabilities [100 vulnerability matches]
├── by severity: 11 critical, 34 high, 36 medium, 18 low, 0 negligible (1 unknown)
└── by status: 14 fixed, 86 not-fixed, 0 ignored
com.google.guava.guava 32.0.0-jre java-archive CVE-2023-2976 High
com.google.guava.guava 32.0.0-jre java-archive CVE-2020-8908 Low
guava 32.0.0-jre java-archive CVE-2023-2976 High
guava 32.0.0-jre 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium
guava 32.0.0-jre 32.0.0 java-archive GHSA-5mg8-w23w-74h3 Low
guava 32.0.0-jre java-archive CVE-2020-8908 Low
Anything else we need to know?:
Environment:
- Output of
grype version: 0.69.1 - OS (e.g:
cat /etc/os-releaseor similar): macOS
