Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: CVE-2022-34169 xalan-2.7.1.redhat-00013.jar in JBOSS Enterprises Application Plaftorm #1600

Open
sekveaja opened this issue Nov 10, 2023 · 0 comments
Open

False Positive: CVE-2022-34169 xalan-2.7.1.redhat-00013.jar in JBOSS Enterprises Application Plaftorm #1600

sekveaja opened this issue Nov 10, 2023 · 0 comments
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

What happened:
When scan a container that has xalan-2.7.1.redhat-00013.jar listed.

/modules/system/layers/base/.overlays/layer-base-jboss-eap-/org/apache/xalan/main/xalan-
2.7.1.redhat-00013.jar

It links to CVE-2022-34169.

What you expected to happen:

According to Red Hat JBOSS EAP, xalan-
2.7.1.redhat-00013.jar, CVE-2022-34169 is not affected.
See reference in Red Hat reference for that issue:
https://access.redhat.com/solutions/6994572

Probably Grype is comparing to NVD, anything less then 2.7.2 is at fault.
cpe:2.3:a:apache:xalan-java::::::::   Show Matching CPE(s) | Up to (including)2.7.2

Environment:

  • Output of grype version:

Application: grype
Version: 0.69.1
BuildDate: 2023-09-28T00:36:53Z
GitCommit: dec5636
GitDescription: v0.69.1
Platform: linux/amd64
GoVersion: go1.21.1
Compiler: gc
Syft Version: v0.92.0
@sekveaja sekveaja added the bug Something isn't working label Nov 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @sekveaja