-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mismatch between using manifest file or not #60
Comments
The way manifest files are generated right now really doesn't provide CVEScan with enough information. If you run
Whereas if you run
In the output from |
@mssalvatore Thanks for your input Mike - I take it then we have two options to obtain an accurate representation of vulnerability:
Am I reading this all correctly? |
@D4V3M0NK thanks for the report and for your patience with this issue. It likely won't be until some time in the new year that we release v3.0 of CVEScan and therefore a proper fix for this issue. In the interim, can you try the following and see if it generates manifests which exclude packages which are not installed? It may be an adequate temporary solution: grep -v -f <(dpkg --get-selections | awk '$2 ~ /deinstall/ {print $1}') <(dpkg-query -W) > manifest.txt This essentially captures a list of previously installed packages which are now set to |
@techalchemy no issues at all. The way I see it, you fine chaps are doing all the hard work that we get to benefit from, so it makes a change to be able to (in some minute way) assist in whatever way we can. At the moment I'm not finding a system that I can test the same as what I had on, but I'll spin one up in the next few days and see if I can replicate the initial issue with those dastardly |
I'm completely new to
cvescan
(v2.5.0) but in the hour that I've been investigating, there appears to a difference in results when using a manifest file, or not.Shows that no issues are present in my system (high or higher priorities).
$ cvescan -p all
Shows that no issues are present in my system (all priorities)
However, when I generate a manifest file, it's a different matter:
Lastly, when I look for libssl 1.0.0, I don't see it listed:
You'll note that I am using the FIPS 140-2 certified OpenSSL package... Does that make a difference?
The text was updated successfully, but these errors were encountered: