-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Mariner] trivy doesn't detect CVE-2023-5678 for package earlier than where the fix has been first introduced. #379
Comments
Hello @eric-desrochers The Mariner database doesn't use
In this case, we overwrite advisories for the same CVEs. |
@eric-desrochers Other vendors have a list of affected packages and versions in criteria. Do you want to get aligned with others? Would you like us to fix it? @DmitriyLewen Does the OVAL definition allow this case? I think it's allowed, but want to double-check it. |
@knqyf263 I am afraid we won't be able to change our OVAL structure (at least for now) to put all the affected packages under the same definition with multiples criteria using a What are the options available to fix this situation ? |
@knqyf263 OVAL requires filling in a |
@DmitriyLewen @knqyf263 good day, what is the next course of action for this bug ? |
You can watch this PR. |
The product team confirmed this change. We'll merge the PR this month. |
Thank you very much |
What version of trivy this fix will be introduce into ? |
Trivy DB has a different release cycle from Trivy. Once the PR gets merged, it will be distributed within 6 hours. |
@eric-desrochers FYI ^ |
Thanks a bunch |
Scanning an image with version of OpenSSL 1.1.1k-27 (which is vulnerable) doesn't report it as so although our OVAL file is correctly set.
Reproducer:
Our OVAL file:
The text was updated successfully, but these errors were encountered: