False positive: CVE-2019-17571 and CVE-2022-23305 related to Log4j

anchore / grype

A vulnerability scanner for container images and filesystems

Apache License 2.0

8.93k stars 576 forks source link

False positive: CVE-2019-17571 and CVE-2022-23305 related to Log4j #1297

Closed sekveaja closed 1 year ago

sekveaja commented 1 year ago

What happened:

Grype reports CVE-2019-17571 and CVE-2022-23305 where it is related to Log4j 1.2 to 1.2.17. We integrate with Log4j 2.x, therefore, not related to above CVE.

What you expected to happen:

Grype should not report those CVE with Log4j 2.x

How to reproduce it (as minimally and precisely as possible):

Integrate Log4j 2.x.

Environment:

Output of grype version: Grype version v.0.61.1
OS (e.g: cat /etc/os-release or similar): SLES 15 SP3

willmurphyscode commented 1 year ago

Hi @sekveaja,

Thanks for reporting this issue! I'm trying to reproduce it, but I could use some more information. Can you post a link to a public artifact that exhibits the false positive? For example, you could post a link to a particular jar on maven, or a public Docker image, or comment with a Dockerfile or short script? Thanks!

willmurphyscode commented 1 year ago

Hi @sekveaja, thanks for reporting this issue! I haven't been able to reproduce it with the information given. If you still believe it's important for us to investigate this, please let us know how to reproduce it. Thanks!