False Positive reactive:mutiny report to CVE-2022-37832, CVE-2013-0136

[sekveaja]

What happened:

False positive
Issue with "/opt/jboss/keycloak/modules/system/layers/base/io/smallrye/reactive/mutiny/main/mutiny-1.1.2.jar" which is reactive:mutiny 1.1.2. Grype report critical issue with CVE-2022-37832, which is related to mutiny:mutiny.
According to this link Published | JUMPSEC LABS
Mutiny Network Monitoring Appliance Affected versions: < 7.2.0-10855.

Which is not related.

What you expected to happen:

Do not expect to point to mutiny:mutiny 7.x
{
"feed": "vulnerabilities",
"feed_group": "nvd:cpe",
"fix": "None",
"nvd_data": [
{
"cvss_v2": {
"base_score": -1.0,
"exploitability_score": -1.0,
"impact_score": -1.0
},
"cvss_v3": {
"base_score": 9.8,
"exploitability_score": 3.9,
"impact_score": 5.9
},
"id": "CVE-2022-37832"
}
],
"package": "mutiny-1.1.2",
"package_cpe": "cpe:2.3:a:reactive:mutiny:1.1.2:::::::",
"package_cpe23": "cpe:2.3:a:reactive:mutiny:1.1.2:::::::",
"package_name": "mutiny",
"package_path": "/opt/jboss/keycloak/modules/system/layers/base/io/smallrye/reactive/mutiny/main/mutiny-1.1.2.jar",
"package_type": "java-archive",
"package_version": "1.1.2",
"severity": "Critical",
"url": https://nvd.nist.gov/vuln/detail/CVE-2022-37832,
"vendor_data": [],
"vuln": "CVE-2022-37832"
},

Environment:
Grype version: 0.55.0.

OS:
pdu@node-10-120-218-118:~> cat /etc/os-release
NAME="SLES"
VERSION="15-SP3"
VERSION_ID="15.3"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"

[mamccorm]

Similar issue for CVE-2018-15529:

• False Positive reactive:mutiny report to CVE-2018-15529 #1540

[willmurphyscode]

This sort of cross-ecosystem confusion was caused by using CPE matching for language packages, but Grype now uses PURLs to match against GHSA for supported ecosystems, including Java. You can read more about this change at https://anchore.com/blog/say-goodbye-to-false-positives/.

I believe this is resolved, but please let us know if we've missed something.