Incorrect reporting of vulnerability against non fips package

[navzen2000]

Is this a request for help?:

---

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG

Version of Anchore Engine and Anchore CLI if applicable:

What happened:

Anchore incorrectly reports vulnerability against non-fips packages

        "package": "libgcrypt-1.8.5-6.el8",
        "package_cpe": "None",
        "package_cpe23": "None",
        "package_name": "libgcrypt",
        "package_path": "pkgdb",
        "package_type": "rpm",
        "package_version": "1.8.5-6.el8",
        "severity": "Medium",
        "url": "https://linux.oracle.com/errata/ELSA-2022-9263.html",
        "vendor_data": [],
        "vuln": "ELSA-2022-9263",

        "package": "gnutls-3.6.16-4.el8",
        "package_cpe": "None",
        "package_cpe23": "None",
        "package_name": "gnutls",
        "package_path": "pkgdb",
        "package_type": "rpm",
        "package_version": "3.6.16-4.el8",
        "severity": "Medium",
        "url": "https://linux.oracle.com/errata/ELSA-2022-9221.html",
        "vendor_data": [],
        "vuln": "ELSA-2022-9221",
        "will_not_fix": false

These issues are meant or fips enabled packages What did you expect to happen:

Any relevant log output from /var/log/anchore:

What docker images are you using:

How to reproduce the issue:

Anything else we need to know:

[tvierling]

The fix for this is, for packages with _fips in the version string, scanning against ELSAs for versions also containing _fips, and skipping those advisories for packages that don't have the _fips version tag.

I explained this in detail to the Trivy project here; this advice also applies to Anchore. If you have any additional questions, my contact info is in that issue comment: https://github.com/aquasecurity/trivy/issues/1967#issuecomment-1092987400