Open ldath opened 4 years ago
Hi @ldath. We can take a look at that image and see if that jar provides any additional data we can use to make our java identification heuristics better or if there is a bug being exposed, so thanks for reporting this. We're constantly working to improve the analysis of packages, and java tend to be the most complex since there are so many possible metadata locations, none of which are actually required or enforced by a packaging system.
The best workaround for now is to use a policy whitelist to remove these matches in the policy side so they don't affect the evaluation of the image. See the whitelist docs for details.
Is this a request for help?: No
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable: docker.io/anchore/anchore-engine:v0.7.2 anchore-cli, version 0.7.2
What happened: False detection in the MongoDB Client library. It is adding CVEs like this https://nvd.nist.gov/vuln/detail/CVE-2020-7921 which are for the MongoDB server to the java MongoDB Client like for example this one:
mongodb-driver-sync-4.0.4.jar
or to give more details:What did you expect to happen: Test passing
Any relevant log output from /var/log/anchore: Upper an example for the detected CVE
What docker images are you using: amazoncorretto:8
How to reproduce the issue: Create s simple Java project which is using latest Java MongoDB Client library
Anything else we need to know: No