-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive reactive:mutiny report to CVE-2022-37832, CVE-2013-0136 #1068
Labels
bug
Something isn't working
changelog-ignore
Don't include this issue in the release changelog
false-positive
Comments
Similar issue for CVE-2018-15529: |
This sort of cross-ecosystem confusion was caused by using CPE matching for language packages, but Grype now uses PURLs to match against GHSA for supported ecosystems, including Java. You can read more about this change at https://anchore.com/blog/say-goodbye-to-false-positives/. I believe this is resolved, but please let us know if we've missed something. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Something isn't working
changelog-ignore
Don't include this issue in the release changelog
false-positive
What happened:
False positive
Issue with "/opt/jboss/keycloak/modules/system/layers/base/io/smallrye/reactive/mutiny/main/mutiny-1.1.2.jar" which is reactive:mutiny 1.1.2. Grype report critical issue with CVE-2022-37832, which is related to mutiny:mutiny.
According to this link Published | JUMPSEC LABS
Mutiny Network Monitoring Appliance Affected versions: < 7.2.0-10855.
Which is not related.
What you expected to happen:
Do not expect to point to mutiny:mutiny 7.x
{
"feed": "vulnerabilities",
"feed_group": "nvd:cpe",
"fix": "None",
"nvd_data": [
{
"cvss_v2": {
"base_score": -1.0,
"exploitability_score": -1.0,
"impact_score": -1.0
},
"cvss_v3": {
"base_score": 9.8,
"exploitability_score": 3.9,
"impact_score": 5.9
},
"id": "CVE-2022-37832"
}
],
"package": "mutiny-1.1.2",
"package_cpe": "cpe:2.3:a:reactive:mutiny:1.1.2:::::::",
"package_cpe23": "cpe:2.3:a:reactive:mutiny:1.1.2:::::::",
"package_name": "mutiny",
"package_path": "/opt/jboss/keycloak/modules/system/layers/base/io/smallrye/reactive/mutiny/main/mutiny-1.1.2.jar",
"package_type": "java-archive",
"package_version": "1.1.2",
"severity": "Critical",
"url": https://nvd.nist.gov/vuln/detail/CVE-2022-37832,
"vendor_data": [],
"vuln": "CVE-2022-37832"
},
Environment:
Grype version: 0.55.0.
OS:
pdu@node-10-120-218-118:~> cat /etc/os-release
NAME="SLES"
VERSION="15-SP3"
VERSION_ID="15.3"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"
The text was updated successfully, but these errors were encountered: