Open LoicGombeaud opened 4 years ago
Thanks for the detailed report. This is an issue we're looking into but currently is caused by the lack of classification information in the NVD data to disambiguate packages from different package managers but with the same name. In these cases the package managers create implicit namespaces that are often not reflected in NVD's CPE data.
The current best solution is to whitelist those specific findings in your policy bundle: https://docs.anchore.com/current/docs/engine/general/concepts/policy/whitelists/
Is this a request for help?: No
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable:
anchore-cli, version 0.4.1
I don't have access to the Anchore Engine container unfortunately.What happened: On a custom image based on ubuntu, I installed the OS package
git
version 2.22.0, and the Ruby gemruby-git
, version 1.5.0. This Ruby gem uses the installed git binary, but doesn't include one or install one: https://github.com/ruby-git/ruby-git Its declared name in the gemspec file isgit
, hence the confusion according to @nurmi.When I analyzed the image, Anchore failed the check, due to CVEs related to older versions of the OS package
git
, as though I had installed an older version of the package.What did you expect to happen: I expected the check to pass, since the installed
git
package is the latest version.Any relevant log output from /var/log/anchore: I don't have access to the logs, but here's the output from
anchore-cli evaluate check <my_image> --detail
:What docker images are you using: A custom one based on ubuntu.
How to reproduce the issue: Run a check on an image based on this Dockerfile:
Anything else we need to know: