-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grype showing disputed CVE in Mariner 2.0 #246
Comments
Thanks for the bug report @eric-desrochers! It sounds like Are there other statuses in |
We have 3 values
Could you please make sure 'Not Applicable' is excluded from the scan CVE report ? As a reference: |
Yes. I'll have a pull request up today.
Yes. Grype accepts |
Awesome thanks ! |
What version of |
Hi @eric-desrochers, the fix ended up being in our vulnerability database generation, not in |
@willmurphyscode - Thanks for dealing with this issue so quickly :-) |
Just verified our code scans against the cbl-mariner images and all the vulnerabilities have now gone from the scan report. |
I confirmed:
|
What happened:
Grype reports DISPUTED CVEs.
For instance, CVE-2023-0687 is not only DISPUTED upstream https://nvd.nist.gov/vuln/detail/CVE-2023-0687
but also in our OVAL file as follows: Not Applicable
https://raw.githubusercontent.com/microsoft/CBL-MarinerVulnerabilityData/main/cbl-mariner-2.0-oval.xml
What you expected to happen:
We expect grype to not report the CVE with patchable set to 'Not Applicable'.
How to reproduce it (as minimally and precisely as possible):
grype mcr.microsoft.com/cbl-mariner/base/core:2.0
Anything else we need to know?:
Environment:
cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: