aquasecurity
Jetty CVEs are showing up incorrectly
Description
We have some images using the following jetty libraries of version 10.0.9 : org.eclipse.jetty:jetty-client org.eclipse.jetty:jetty-http org.eclipse.jetty:server org.eclipse.jetty:jetty-util org.eclipse.jetty:jetty-webapp
When scanning the images during an offline scan these CVEs are showing up when the version doesn't appear in the "affected versions". CVE-2020-27216 CVE-2020-27218 CVE-2020-27223
What did you expect to happen?
These CVEs would no show.
What happened instead?
The image is showing 9 vulnerabilities in total of the 3 CVEs above.
Output of run with -debug:
I cannot show the log.
Output of trivy -v:
I cannot show the log.
Additional details (base image name, container registry info...):
We are seeing these vulnerabilities in our Harbor scans (using Trivy adapter) and running the image scan directly with Trivy image.
https://avd.aquasec.com/nvd/2020/cve-2020-27216/ https://avd.aquasec.com/nvd/2020/cve-2020-27218/ https://avd.aquasec.com/nvd/2020/cve-2020-27223/
Hello @cnwaldron Thanks a lot for your report!
Trivy first gets fixed version from GitLab Advisory Database. That is why you got these CVE's.
I created issue to change these CVE's.
Before updating these CVE's you can use .trivyignore file to skip these advisories.
More information about vulnerability filter here.
Best Regards, Dmitriy
Hello @cnwaldron
GitLab Database has been updated.
You can update Trivy DB and check your image.
If trivy works correctly and you haven't any questions, close this issue, please.
Regards, Dmitriy
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}