You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How to reproduce it (as minimally and precisely as possible):
$ docker run -it --rm anchore/grype:v0.34.7 \
ghcr.io/sigstore/cosign/cosign:d03404e0ca690aea929ee68376fd3244aac8eea9
...
github.com/hashicorp/vault/api v1.5.0 CVE-2020-25816 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2021-43998 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2020-16251 Critical
github.com/hashicorp/vault/api v1.5.0 CVE-2021-27400 High
github.com/hashicorp/vault/api v1.5.0 CVE-2021-3024 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2021-38553 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2021-27668 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2021-32923 High
github.com/hashicorp/vault/api v1.5.0 CVE-2020-16250 Critical
github.com/hashicorp/vault/api v1.5.0 CVE-2020-35177 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2021-41802 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2021-45042 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2020-25594 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2020-35453 Medium
github.com/hashicorp/vault/api v1.5.0 CVE-2021-38554 Medium
github.com/hashicorp/vault/sdk v0.4.1 CVE-2020-13223 High
github.com/hashicorp/vault/sdk v0.4.1 CVE-2020-25594 Medium
github.com/hashicorp/vault/sdk v0.4.1 CVE-2018-19786 High
github.com/hashicorp/vault/sdk v0.4.1 CVE-2021-38554 Medium
github.com/hashicorp/vault/sdk v0.4.1 CVE-2021-41802 Medium
github.com/hashicorp/vault/sdk v0.4.1 CVE-2021-3024 Medium
github.com/hashicorp/vault/sdk v0.4.1 CVE-2021-27400 High
...
Anything else we need to know?:
I'm probably just as confused by Vault's versioning as you are.
Environment:
Output of grype version:
$ docker run -it --rm anchore/grype:v0.34.7 version
Application: grype
Version: 0.34.7
Syft Version: v0.42.4
BuildDate: 2022-03-24T19:36:25Z
GitCommit: 44e676488efe4ab4fd63438bbce539777a2b8922
GitDescription: v0.34.7
Platform: linux/amd64
GoVersion: go1.18
Compiler: gc
Supported DB Schema: 3
OS (e.g: cat /etc/os-release or similar):
This is in a container, Docker on Debian Linux.
The text was updated successfully, but these errors were encountered:
hi @sudo-bmitch - the reason for this mismatch looks like it was related to the CPE that was being generated against the hashicorp artifacts in syft 0.42.4. Later versions (v0.47 and later) generate a more descriptive CPE that includes the api/sdk metadata, which should resolve this FP finding. Closing the ticket but please let us know if you have additional concerns on this particular finding!
# docker run -it --rm anchore/grype:latest -q ghcr.io/sigstore/cosign/cosign:d03404e0ca690aea929ee68376fd3244aac8eea9 | grep hashicorp
...
(no more false positive results)
...
What happened:
I'm getting some false positives on
github.com/hashicorp/vault/api
because Grype seesapi/v1.5.0
as the same asv1.5.0
.Similar things happened with the sdk release.
What you expected to happen:
No false positives.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
I'm probably just as confused by Vault's versioning as you are.
Environment:
grype version
:cat /etc/os-release
or similar):This is in a container, Docker on Debian Linux.
The text was updated successfully, but these errors were encountered: