navzen2000
commented
2 years ago "vulnerabilities": [ { "feed": "vulnerabilities", "feed_group": "nvd", "fix": "None", "nvd_data": [ { "cvss_v2": { "base_score": 4.6, "exploitability_score": 3.9, "impact_score": 6.4 }, "cvss_v3": { "base_score": 7.8, "exploitability_score": 1.8, "impact_score": 5.9 }, "id": "CVE-2015-4035" } ], "package": "xz-1.9", "package_cpe": "None", "package_cpe23": "cpe:2.3:a:tukaani:xz:1.9:::::::*", "package_name": "xz", "package_path": "xz-1.9.jar", "package_type": "java", "package_version": "1.9", "severity": "High", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4035", "vendor_data": [], "vuln": "CVE-2015-4035", "will_not_fix": false }
Is this a request for help?:
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable:
v1.0.1 What happened: Anchore scan incorrectly reported CVE-2015-4035 against xz-1.9.jar https://snyk.io/vuln/maven:org.tukaani%3Axz
This CVE is applicable for script/xzgrep
What did you expect to happen:
Any relevant log output from /var/log/anchore:
What docker images are you using:
How to reproduce the issue:
Anything else we need to know: