CVE-2023-296: False positive vulnerbility report 33.0.6-jre

[vivekverma743]

IDs

CVE-2023-2976

Description

Hello Trivy Team,

I would like to report a potential false positive vulnerability detection in our recent scan.

Details:

Package: Google Guava

Reported Version: 33.0.6-jre (non-vulnerable)

Vulnerability: FileBackedOutputStream temporary directory issue (fixed in 32.0.0, with 32.0.1 recommended)

Scanner Output: Trivy flagged the shaded Guava JAR inside curator-shaded-guava as it satify the runtime version as 33.0.6-jre which is non vulnerable

Path: META-INF/maven/com.google.guava/guava/pom.xml

Issue: Although the runtime Guava version is 33.0.6-jre (which is beyond the fixed version), Trivy continues to report CVE-2023-2976 due to shaded JAR metadata referencing older Guava versions. This appears to be a false positive.

The curator-shaded-guava-5.9.0-osgi.jar manifest provides additional clarity:

              Bundle-Version: 5.9.0
              
              Implementation-Version: 5.9.0
              
              Import-Package:
              
              com.google.common.base; version="[32.0,33)"
              
              com.google.common.collect; version="[32.0,33)"
              
              com.google.common.io; version="[32.0,33)"
              
              com.google.common.util.concurrent; version="[32.0,33)"
              
              Vendor: The Apache Software Foundation
              
              Build-Jdk-Spec: 1.8

This explicitly shows that curator-shareded is importing Guava packages in the [32.0,33) range, which aligns with the patched versions and confirms that the runtime dependency is safe and we are already on safe version

Request: Please review this detection logic and confirm whether Trivy can be adjusted to avoid reporting vulnerabilities based solely on shaded JAR metadata when the actual runtime version is patched.

Thank you for your support.

Best regards,
Vivek Verma

Reproduction Steps

1.
2.
3.
...

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

Nothing as of now as it is FP.

Version

Trivy: 0.71.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @vivekverma743
Thanks for your report!

Perhaps your shaded jar file contains pom.properties file with old version (see https://trivy.dev/docs/latest/guide/coverage/language/java/#jarwarparear).

Can you share this jar file for investigation?

Regards, Dmitriy