CVE-2023-38408 GHSA-px36-p9hv-7h2v is not reported as found on any images that other scanners show have it (Google's own container registry scanner, Orca find the vuln w/ openssh-client)

us.gcr.io/tempus-container-registry/cert-manager-identity-sidecar:latest is a public image flagged by other scanners as having GHSA-px36-p9hv-7h2v but nothing it is not reported on when scanned. The image apt list results show it is installed w/ the vulnerable version: openssh-client/now 1:8.4p1-5+deb11u1 amd64 [installed,local] as listed on the Debian page for the CVE.

You'll need to post logs and the json output from clairctl report.

Closing due to inactivity.