-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-7712 for node json package, Stackrox false positives flagging ruby json package as vulnerable #7501
Comments
@stackrox/core-workflows could you please help? |
@stackrox/scanner is the right team to address this issue. Can someone from @stackrox/scanner take a look? |
When you say Clair, are you referring to StackRox Scanner (based on Clair v2) or Clair, itself? I'm going to answer assuming you mean StackRox Scanner. The team is currently working on revamping the image vulnerability scanning solution, which should resolve a false positive like this |
Yes, stackrox scanner |
CVE-2020-7712 is for node json package but Stackrox scanner false positives by flagging ruby json package as vulnerable
Description of Problem / Feature Request
Images with only ruby json packages are being flagged as having CVE-2020-7712 even though that CVE doesn't pertain to the ruby json package, it pertains to the npm json package. Stackrox is detecting and reporting on the ruby gem json version (2.6.3) and reporting to fix it by installing the npm json package 10.0.0+. The CPE (v1) in this CVE is
cpe:2.3:a:joyent:json:*:*:*:*:*:node.js:*:*
-- node.js doesn't seem to be interpreted properly for this violation.This problem is actually similar to another issue grype fixed; the ruby:3.1.0-bullseye image mentioned there turns up this CVE within Stackrox as an example of this issue.
Expected Outcome
Not detect this CVE for CVE-2020-7712
Actual Outcome
CVE is being detected
Environment
GKE on Stackrox 4.0.1 (now 4.3.4 still)
The text was updated successfully, but these errors were encountered: