-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False neg. caused by --only fixed
#1431
Comments
Thanks for the report @mirekphd -- I ran the example you provided, but none of the vulnerabilities show any fixed information (check the |
I'd think the option is too strict in its data requirements. I'd argue it might react to nulls in the fix state more conservatively, and return (not mask) all entries with no data in this field, or else users of this option have much higher false negative rate, with all data gaps treated the same as intentional decisions of the developers not to fix. Auto-populating all missings in the fix state with "wont-fix" after a "reasonable" fixing timeout would lead to similar results - the only difference is that the timeout is zero when you specify |
Hi @mirekphd, the purpose of There are also some configuration items that might help, if you need to ignore certain matches: https://github.com/anchore/grype#specifying-matches-to-ignore |
Hi @mirekphd, we'll go ahead and close this issue but if you still need any help here, please let us know and we would be happy to discuss. Thanks! |
What happened:
Got "No vulnerabilities found" despite having nearly 200 of them in the scanned image (as per Grype's log entry: "INFO found 187 vulnerabilities for 220 packages").
What you expected to happen:
A table listing all vulnerabilities.
How to reproduce it (as minimally and precisely as possible):
$ docker run --rm --name test -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest --only-fixed mirekphd/cuda-11.2-cudnn8-devel-ubuntu22.04:20230813
Anything else we need to know?:
Removing
--only-fixed
works around the problem.The switch is however generally useful, as it deals automatically with false positives such as these (being false in an Alpine container and reported elsewhere):
Environment:
grype version
: 0.65.1cat /etc/os-release
or similar): Ubuntu 22.04.2 LTSThe text was updated successfully, but these errors were encountered: