Will Murphy

Thanks @thediveo! I think this has been fixed by intervening development: ``` cd /tmp git clone [email protected]:thediveo/lxkns.git grype dir:lxkns ``` prints only: ``` NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY github.com/docker/distribution...

Added `changelog-ignore` because this was fixed in `0.60.0` and so shouldn't be included in the current release's release notes.

Hi @exortech, thanks for reporting this issue! I'm no longer able to reproduce this false positive: ``` mkdir clipboard && cd clipboard && npm init -y && npm install clipboard...

Added `changelog-ignore` because this was fixed in `0.60.0` and so shouldn't be included in the current release's release notes.

Hi @markush81 and @OfriOuzan, thanks for reporting this issue! Confirming that I still see the issue: ``` wget https://repo1.maven.org/maven2/org/postgresql/postgresql/42.3.6/postgresql-42.3.6.jar grype postgresql-42.3.6.jar| grep CVE-2017-8806 ``` still prints the issue. Here's a...

Hi @navzen2000, thanks for reporting this issue. Are you able to include some specific steps to reproduce? For example a Dockerfile or a link to a public image that exhibits...

Thanks @navzen2000! I'm able to reproduce with those steps. (I'm passing a platform to grype, since I'm on an M1 and it seems the arm64 image is not vulnerable: `grype...

Thanks @thediveo for reporting this issue! I'm no longer able to reproduce it. Here's how I tried: ``` cd /tmp git clone [email protected]:thediveo/lxkns.git grype dir:lxkns | grep CVE-2002-1647 ``` which...

Added `changelog-ignore` because this was fixed in `0.60.0` and so shouldn't be included in the current release's release notes.

I think inferring fixed-in information from NVD data is still problematic, not because we're squeamish about the lack of the word "fix", but because the data doesn't seem to use...