Docker scout false positive on jgroups@3.6.20.Final

[alexsuter]

Description

Docker scout treats jgroups@3.6.20.Final as vulnerable and reports that 4.0 has fixed the issue. But the CVE fix has been backported to 3.6.10 which is described in the CVE report in docker scout itself:

https://scout.docker.com/vulnerabilities/id/CVE-2016-2141/org/axonivy

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors. Fixes for this issue have been backported to versions 3.6.10.Final and 3.2.16.Final.

Reproduce

Add jgroups 3.6.20 to the image and analyze it with docker scout.

Expected behavior

jgroups 3.6.20 should not be reported as vulnerable

docker version

not important

docker info

not important

Additional Info

No response

[alexsuter]

I think it's because gitlab has the wrong versions ranges, where as github has the correct ones?

[thaJeztah]

Thanks for reporting; looks like this is related to Scout, which is currently closed source, and not maintained in this repository. Issues related to scout are best reported in https://github.com/docker/scout-cli.

I'll transfer this ticket to that issue tracker 👍