We're seeing several false positives with up to date debian jessie images.

I've constructed a simple example at https://github.com/rmoriz/anchore-false-positive to reproduce.

build a docker image based on the latest debian:jessie and install libgnutls-deb0-28
package libgnutls-deb0-28:amd64 3.3.8-6+deb8u7 gets installed
sets up anchore and does the test.

However docker exec anchore anchore query --image false-positive cve-scan all returns several HIGH issues regarding that package:

| CVE-2017-533 | High       | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 7            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5337         |
| CVE-2017-533 | High       | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 6            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5336         |
| CVE-2017-533 | Medium     | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 5            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5335         |
| CVE-2017-533 | High       | 1               | libgnutls-de       | None          | e6e3610342fb | None           | https        |
| 4            |            |                 | b0-28-3.3.8-       |               | (false-posit |                | ://security- |
|              |            |                 | 6+deb8u7           |               | ive:latest)  |                | tracker.debi |
|              |            |                 |                    |               |              |                | an.org/track |
|              |            |                 |                    |               |              |                | er/CVE-2017- |
|              |            |                 |                    |               |              |                | 5334         |

Debian Security Tracker claims that version "3.3.8-6+deb8u7" is fixed for all issues:

Debian: false positives #39

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions