Open supersimple opened 6 months ago
Add the expo dependency to an elixir app/ Run Grype.
Hi @supersimple , would you be able to expand how to do this? ...maybe provide a sample file or some command line steps to create one that's causing the issue?
Add the expo dependency to an elixir app/ Run Grype.
Hi @supersimple , would you be able to expand how to do this? ...maybe provide a sample file or some command line steps to create one that's causing the issue?
Hi. The project I am working on is closed source, so I cannot share that with you, but this was a scan using the anchore/scan-action GH action, configured with defaults. Any Elixir/Phoenix app should give this warning, or a mix app that uses the expo dependency from Hex. The issue seems to be that an iOS dependency by the same name has a CVE on early versions.
For the record, Github SBOM are not compatible with Grype because of name mismatch, see
What happened: I was alerted to a CVE issue on a package (from Hex) that has a similar name to a vulnerable package available in the iOS ecosystem. They are unrelated packages.
What you expected to happen: I was expecting not to receive a failure
How to reproduce it (as minimally and precisely as possible): Add the expo dependency to an elixir app/ Run Grype.
Anything else we need to know?: I am including a screenshot from the GH action output
Environment:
grype version
:cat /etc/os-release
or similar):