False neg. caused by --only fixed
#1431
Comments
|
Thanks for the report @mirekphd -- I ran the example you provided, but none of the vulnerabilities show any fixed information (check the |
|
I'd think the option is too strict in its data requirements. I'd argue it might react to nulls in the fix state more conservatively, and return (not mask) all entries with no data in this field, or else users of this option have much higher false negative rate, with all data gaps treated the same as intentional decisions of the developers not to fix. Auto-populating all missings in the fix state with "wont-fix" after a "reasonable" fixing timeout would lead to similar results - the only difference is that the timeout is zero when you specify |
|
Hi @mirekphd, the purpose of There are also some configuration items that might help, if you need to ignore certain matches: https://github.com/anchore/grype#specifying-matches-to-ignore |
|
Hi @mirekphd, we'll go ahead and close this issue but if you still need any help here, please let us know and we would be happy to discuss. Thanks! |
What happened:
Got "No vulnerabilities found" despite having nearly 200 of them in the scanned image (as per Grype's log entry: "INFO found 187 vulnerabilities for 220 packages").
What you expected to happen:
A table listing all vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
$ docker run --rm --name test -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest --only-fixed mirekphd/cuda-11.2-cudnn8-devel-ubuntu22.04:20230813Anything else we need to know?:
Removing
--only-fixedworks around the problem.The switch is however generally useful, as it deals automatically with false positives such as these (being false in an Alpine container and reported elsewhere):
Environment:
grype version: 0.65.1cat /etc/os-releaseor similar): Ubuntu 22.04.2 LTSThe text was updated successfully, but these errors were encountered: