Is this a BUG REPORT or a FEATURE REQUEST? BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable:
Anchore engine version: v0.10.0
What happened:
We scanned a docker image using the Anchore APIs and it reported CVE-2020-25637 vulnerability in three libvrt packages. The json snippet from the results is:
More evidence on the libvrt versions inside our image:
$ docker run -it --rm --entrypoint bash stunnel-sidecar:0a0d82ec9f135fd38056dadbaddef1afee41dc34-amd64
bash-5.1$ apk -v info | grep libvirt
libvirt-libs-6.6.0-r4
libvirt-6.6.0-r4
libvirt-client-6.6.0-r4
bash-5.1$
What did you expect to happen:
According to Alpine (see https://security.alpinelinux.org/vuln/CVE-2020-25637), version 6.6.0-r4 was patched and Anchore should not report a vulnerability but it does. Anchore needs to recognize that upgrading to a later version with the fix is not the only solution when the fix has also been backported to older versions.
Is this a BUG REPORT or a FEATURE REQUEST? BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable: Anchore engine version: v0.10.0
What happened: We scanned a docker image using the Anchore APIs and it reported
CVE-2020-25637
vulnerability in three libvrt packages. The json snippet from the results is:More evidence on the libvrt versions inside our image:
What did you expect to happen:
According to Alpine (see https://security.alpinelinux.org/vuln/CVE-2020-25637), version
6.6.0-r4
was patched and Anchore should not report a vulnerability but it does. Anchore needs to recognize that upgrading to a later version with the fix is not the only solution when the fix has also been backported to older versions.