CVE-2020-7712 is for node json package but clair false positives by flagging ruby json package as vulnerable
danekantner opened this issue · comments
CVE-2020-7712 is for node json package but clair false positives by flagging ruby json package as vulnerable
Description of Problem / Feature Request
Images with only ruby json packages are being flagged as having CVE-2020-7712 even though that CVE doesn't pertain to the ruby json package, it pertains to the npm json package. Clair is detecting and reporting on the ruby gem json version (2.6.3) and reporting to fix it by installing the npm json package 10.0.0+. The CPE (v1) in this CVE is cpe:2.3:a:joyent:json:*:*:*:*:*:node.js:*:*
This problem is actually similar to another issue grype fixed; the ruby:3.1.0-bullseye image mentioned there turns up this CVE within Clair.
Expected Outcome
Not detect this CVE for CVE-2020-7712
Actual Outcome
CVE is being detected
Environment
- This is Clair via Stackrox 4.0.1
If you're seeing this with Stackrox, you should open an issue with Stackrox.
Feel free to reopen with:
- Clair version
- JSON
clairctl
output (i.e.clairctl report -o json ...
)