You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Run grype . to see whether we still find the vulnerabilities
$ syft .
NAME VERSION TYPE
apache-mime4j-core 0.8.3 java-archive
apache-mime4j-dom 0.8.3 java-archive
apache-mime4j-storage 0.8.3 java-archive
mutiny 1.1.2 java-archive
$ grype .
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
apache-mime4j-core 0.8.3 0.8.10 java-archive GHSA-jw7r-rxff-gv24 Medium
apache-mime4j-storage 0.8.3 0.8.9 java-archive GHSA-q84x-3476-8ff2 Medium
Both those GHSA seem to be true positives. None of the CVEs mentioned in the original report are still reported, so I'm closing this issue, but please let me know if I've missed something.
What happened:
Issue with mime4j-storage-0.8.3, mime4j-core-0.8.3 and mime4j-dom-0.8.3,
"package_path": "/opt/jboss/keycloak/lib/lib/main/org.apache.james.apache-mime4j-storage-0.8.3.jar"
"package_path": "/opt/jboss/keycloak/lib/lib/main/org.apache.james.apache-mime4j-core-0.8.3.jar",
"package_path": "/opt/jboss/keycloak/lib/lib/main/org.apache.james.apache-mime4j-dom-0.8.3.jar",
Grype is reported to https://nvd.nist.gov/vuln/detail/CVE-2021-40525
which is for james version 3.6.1
https://nvd.nist.gov/vuln/detail/CVE-2021-40525](https://nvd.nist.gov/vuln/detail/CVE-2021-40525
It is not the same package.
Environment:
Anchore Grype version: 0.56.0
OS type running in the current environment i.e. (cat /etc/os-release)
~> cat /etc/os-release
NAME="SLES"
VERSION="15-SP3"
VERSION_ID="15.3"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp3"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: