-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive in dotnet Akka.NET - CVE-2017-1000034 #1164
Comments
Hi @josetirablaz, thanks for the report. Do you happen to have a publicly available image that we can use to reproduce this? That would help us a lot. Thanks! |
Hi @tgerla Here is an image to reproduce the false positive: Petabridge/Lighthouse on hub.docker.com |
Thanks @josetirablaz! We will take a look as soon as we can. |
Hi @josetirablaz, thanks for the issue! To help future investigations, here's a oneliner with a digest that reproduces this positive result (some of these get hard to investigate if the image tag moves):
Trying to understand what happens a in a bit more detail here, looking at the match details: CVE-2017-1000034 from https://nvd.nist.gov/vuln/detail/CVE-2017-1000034
I have to agree that this is a false positive - it would be pretty surprising if there were a java serialization vulnerability in Akka.NET :) It seems like we correctly detect that this is a It looks like the package name for Akka.NET is indeed just |
Hi @josetirablaz, The repro steps above no longer result in this false positive. That's because Grype, by default, uses PURLs and not CPEs to match language packages - you can read more about that at https://anchore.com/blog/say-goodbye-to-false-positives/. I'm closing this, but please let us know if we've missed something. |
What happened:
After scanning a .NET solution that contains the Akka package, a wrong vulnerability is reported.
Here is the report:
What you expected to happen:
CVE-2017-1000034 for Akka JVM should not be reported for Akka.NET.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
All Akka vulnerabilities from JVM version are reported as Akka.NET vulnerabilities also.
Environment:
grype version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: