CVE-2023-2976 is being detected wrongly flagged , even in runtime 3pp version has the latest patch with vulnerability fixed #10810

evadivu · 2026-06-08T08:50:33Z

evadivu
Jun 8, 2026

IDs

CVE-2023-2976

Description

Trivy is detective positive for CVE-2023-2976 which is for Google guava . Since its a shaded jar the tool is unable to pick the runtime version correctly

Reproduction Steps

1.Deploy the image
2.run the scanner
3.
...

Target

Container Image

Scanner

Vulnerability

Target OS

RHEL

Debug Output

Container

Version

0.71.0

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2026-06-08T11:07:29Z

DmitriyLewen
Jun 8, 2026
Maintainer

duplicate of #10809

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-2976 is being detected wrongly flagged , even in runtime 3pp version has the latest patch with vulnerability fixed #10810

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

CVE-2023-2976 is being detected wrongly flagged , even in runtime 3pp version has the latest patch with vulnerability fixed #10810

Uh oh!

evadivu Jun 8, 2026

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment

Uh oh!

DmitriyLewen Jun 8, 2026 Maintainer

evadivu
Jun 8, 2026

DmitriyLewen
Jun 8, 2026
Maintainer