Open navzen2000 opened 2 years ago
The fix for this is, for packages with _fips
in the version string, scanning against ELSAs for versions also containing _fips
, and skipping those advisories for packages that don't have the _fips
version tag.
I explained this in detail to the Trivy project here; this advice also applies to Anchore. If you have any additional questions, my contact info is in that issue comment: https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400
Is this a request for help?:
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG
Version of Anchore Engine and Anchore CLI if applicable:
What happened:
Anchore incorrectly reports vulnerability against non-fips packages
These issues are meant or fips enabled packages What did you expect to happen:
Any relevant log output from /var/log/anchore:
What docker images are you using:
How to reproduce the issue:
Anything else we need to know: