-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive: CVE-2017-3162 apache:hadoop-shaded-guava vs apache:hadoop #1301
Comments
Adding detailed repro steps to make future investigation easier:
Which prints
Here are some more details on the match: CVE-2017-3162 from https://nvd.nist.gov/vuln/detail/CVE-2017-3162
URLs:
|
@willmurphyscode Thank you to investigate on the issue. NVD info: https://nvd.nist.gov/vuln/detail/CVE-2017-3162Description
|
I don't have such a link. I think this is probably a false positive - I am adding notes to further our investigation of why this false positive might appear. Sorry for not saying that more clearly in my last comment! I've added the label |
Hi @sekveaja, This false positive seems to be fixed: wget https://repo1.maven.org/maven2/org/apache/hadoop/thirdparty/hadoop-shaded-guava/1.1.1/hadoop-shaded-guava-1.1.1.jar
grype hadoop-shaded-guava-1.1.1.jar | grep CVE-2017-3162 no longer prints any vulnerabilities. This is because Grype no longer uses CPEs by default for matching against JARs. Please let me know if I've missed something. |
What happened:
Use hadoop-shaded-guava:1.1.1
Grype report to apache:hadoop CVE-2017-3162
What you expected to happen:
They are not the same CPE, therefore, should not report to CVE-2017-3162.
How to reproduce it (as minimally and precisely as possible):
Integrate apache:hadoop-shaded-guava:1.1.1 and test
Environment:
Grype: 0.61.1
cat /etc/os-release | grep -i version
VERSION="SLES 15-SP4"
The text was updated successfully, but these errors were encountered: