You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
I have a question regarding Grype’s behavior:
I’ve created an image containing requests package.
I see 2 vulnerabilities are related: CVE-2023-32681, GHSA-j8r2-6x86-q33q.
However, when I checked it deeply, I saw it is the same dependency, moreover, in GHSA-j8r2-6x86-q33q we have a field of relatedVulnerabilities which contains CVE-2023-32681.
I think presenting both vulnerabilities are wrong, since it is the same dependency.
Is this the expected behavior? Is it planned to filter in the future these kinds of duplicates? What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Here is the Dockerfile to reproduce and the command I’ve run:
docker build -t requests .
grype requests
FROM python:3.7-alpine
RUN pip install requests==2.20.0
WORKDIR /app
CMD ["python", "app.py"]
Anything else we need to know?:
Environment:
Output of grype version: 0.63.1
OS (e.g: cat /etc/os-release or similar): alpine:3.18.2
The text was updated successfully, but these errors were encountered:
Hi @tomerse-sg, I think we talked on the community slack. Re-posting here what I said there:
I think passing --by-cve will make grype do what you're expecting. But note that --by-cve currently has some limitations: #1202
There's some discussion about whether this should be the default behavior. In general, if we matched the vulnerability using the GHSA's matching criteria, it will be included in the results.
What happened:
I have a question regarding Grype’s behavior:
I’ve created an image containing requests package.
I see 2 vulnerabilities are related: CVE-2023-32681, GHSA-j8r2-6x86-q33q.
However, when I checked it deeply, I saw it is the same dependency, moreover, in GHSA-j8r2-6x86-q33q we have a field of relatedVulnerabilities which contains CVE-2023-32681.
I think presenting both vulnerabilities are wrong, since it is the same dependency.
Is this the expected behavior? Is it planned to filter in the future these kinds of duplicates?
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Here is the Dockerfile to reproduce and the command I’ve run:
docker build -t requests .
grype requests
Anything else we need to know?:
Environment:
grype version
: 0.63.1cat /etc/os-release
or similar): alpine:3.18.2The text was updated successfully, but these errors were encountered: