CVE-2020-7712 for node json package, Stackrox false positives flagging ruby json package as vulnerable #7501
Comments
danekantner
changed the title
danekantner
changed the title
danekantner
changed the title
|
@stackrox/core-workflows could you please help? |
|
@stackrox/scanner is the right team to address this issue. Can someone from @stackrox/scanner take a look? |
|
When you say Clair, are you referring to StackRox Scanner (based on Clair v2) or Clair, itself? I'm going to answer assuming you mean StackRox Scanner. The team is currently working on revamping the image vulnerability scanning solution, which should resolve a false positive like this |
|
Yes, stackrox scanner |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2020-7712 is for node json package but Stackrox scanner false positives by flagging ruby json package as vulnerable
Description of Problem / Feature Request
Images with only ruby json packages are being flagged as having CVE-2020-7712 even though that CVE doesn't pertain to the ruby json package, it pertains to the npm json package. Stackrox is detecting and reporting on the ruby gem json version (2.6.3) and reporting to fix it by installing the npm json package 10.0.0+. The CPE (v1) in this CVE is
cpe:2.3:a:joyent:json:*:*:*:*:*:node.js:*:*-- node.js doesn't seem to be interpreted properly for this violation.This problem is actually similar to another issue grype fixed; the ruby:3.1.0-bullseye image mentioned there turns up this CVE within Stackrox as an example of this issue.
Expected Outcome
Not detect this CVE for CVE-2020-7712
Actual Outcome
CVE is being detected
Environment
GKE on Stackrox 4.0.1 (now 4.3.4 still)
The text was updated successfully, but these errors were encountered: