Will Murphy

I'm still able to reproduce the issues mentioned in https://github.com/anchore/grype/issues/244#issuecomment-1227107569. ``` grype --platform linux/amd64 docker:fluent/fluentd:v1.14.4-1.0 | grep -e CVE-2018-25032 -e CVE-2022-37434 -e CVE-2002-0059 ``` prints the following vulnerabilities: ``` zlib...

Hi @luislavena, thanks for the report! The reason this was happening was that Grype used to use CPEs to match ruby gems to vulnerabilities, and CPEs don't have any mechanism...

Hi @yudong, thanks for reporting this. I'm investigating it. The only vulnerability from the original post that is still present in `ruby:3.1.0-bullseye` is: CVE-2021-4044 from https://nvd.nist.gov/vuln/detail/CVE-2021-4044 matched artifact is: openssl...

Hi @isuftin, I'm no longer able to reproduce this. What I've tried: - making a Dockerfile just as in your original post (but adding `--platform=linux/amd64` on the `FROM` line, since...

Hi @isuftin, thanks for reporting this issue! I haven't been able to reproduce it, so I'm marking it as closed. (Also, it seems possible it's a duplicate of #244). If...

Hi @isuftin, Thanks for the report! This sort of ecosystem confusion is caused by using CPEs from NVD as a matching source, because CPEs don't include language/ecosystem information, and so...

Hi @mstergianis, thanks for reporting this issue! It looks like the GitHub page for `node-chainsaw` has been taken down - I'm seeing a 404 on https://github.com/substack/node-chainsaw. Regardless, I believe this...

Added `changelog-ignore` because this was fixed in `0.60.0` and so shouldn't be included in the current release's release notes.

Hi @lclc and @apoelstra, As @spiffcs said above, this was caused because we were using CPEs to match packages to vulnerabilities, but CPEs don't encode ecosystem data, so similarly-named but...

Hi @lclc! This was fixed by the same change I mentioned at https://github.com/anchore/grype/issues/901#issuecomment-2112225113 Please let us know if we missed something. Thanks!