Open alissongdgarcia opened 2 years ago
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable: anchore-cli 0.8.2
What happened: Anchore reported CVE-2017-15806 on library Java Mail (https://repo1.maven.org/maven2/javax/mail/mail/1.4.1/mail-1.4.1.jar). But CVE-2017-15806 reports a vulnerability on Zeta Components (http://zetacomponents.org/) which is a pure PHP mail library, while the Java Mail its a pure Java one.
What did you expect to happen: CVE-2017-15806 shouldn't be reported on Java Mail.
Any relevant log output from /var/log/anchore: "feed": "nvdv2", "feed_group": "nvdv2:cves", "fix": "None", "nvd_data": [ { "cvss_v2": { "base_score": 6.8, "exploitability_score": 8.6, "impact_score": 6.4 }, "cvss_v3": { "base_score": 8.1, "exploitability_score": 2.2, "impact_score": 5.9 }, "id": "CVE-2017-15806" } ], "package": "mail-1.4.1", "package_cpe": "cpe:/a:-:mail:1.4.1:-:-", "package_cpe23": "cpe:2.3:a:-:mail:1.4.1:-:-:-:-:-:-:-", "package_name": "mail", "package_path": "/ericssonbilling/3pp/jar/jbpm/lib/mail.jar", "package_type": "java", "package_version": "1.4.1", "severity": "High", "url": https://nvd.nist.gov/vuln/detail/CVE-2017-15806, "vendor_data": [], "vuln": "CVE-2017-15806"
What docker images are you using: Anchore inline scanner
How to reproduce the issue: Scan any images that contains regular Java Mail library 1.4 or 1.4.1
Anything else we need to know: No
Is this a request for help?: Yes
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable: anchore-cli 0.8.2
What happened: Anchore reported CVE-2017-15806 on library Java Mail (https://repo1.maven.org/maven2/javax/mail/mail/1.4.1/mail-1.4.1.jar). But CVE-2017-15806 reports a vulnerability on Zeta Components (http://zetacomponents.org/) which is a pure PHP mail library, while the Java Mail its a pure Java one.
What did you expect to happen: CVE-2017-15806 shouldn't be reported on Java Mail.
Any relevant log output from /var/log/anchore: "feed": "nvdv2", "feed_group": "nvdv2:cves", "fix": "None", "nvd_data": [ { "cvss_v2": { "base_score": 6.8, "exploitability_score": 8.6, "impact_score": 6.4 }, "cvss_v3": { "base_score": 8.1, "exploitability_score": 2.2, "impact_score": 5.9 }, "id": "CVE-2017-15806" } ], "package": "mail-1.4.1", "package_cpe": "cpe:/a:-:mail:1.4.1:-:-", "package_cpe23": "cpe:2.3:a:-:mail:1.4.1:-:-:-:-:-:-:-", "package_name": "mail", "package_path": "/ericssonbilling/3pp/jar/jbpm/lib/mail.jar", "package_type": "java", "package_version": "1.4.1", "severity": "High", "url": https://nvd.nist.gov/vuln/detail/CVE-2017-15806, "vendor_data": [], "vuln": "CVE-2017-15806"
What docker images are you using: Anchore inline scanner
How to reproduce the issue: Scan any images that contains regular Java Mail library 1.4 or 1.4.1
Anything else we need to know: No