Scan matches on similarly named package, but from different ecosystem

[supersimple]

What happened: I was alerted to a CVE issue on a package (from Hex) that has a similar name to a vulnerable package available in the iOS ecosystem. They are unrelated packages.

What you expected to happen: I was expecting not to receive a failure

How to reproduce it (as minimally and precisely as possible): Add the expo dependency to an elixir app/ Run Grype.

Anything else we need to know?: I am including a screenshot from the GH action output

Environment:

• Output of grype version:
  • [info] using release tag='v0.74.4' version='0.74.4' os='linux' arch='amd64'
• OS (e.g: cat /etc/os-release or similar):
• [info] using release tag='v0.74.4' version='0.74.4' os='linux' arch='amd64'

[kzantow]

Add the expo dependency to an elixir app/ Run Grype.

Hi @supersimple , would you be able to expand how to do this? ...maybe provide a sample file or some command line steps to create one that's causing the issue?

[supersimple]

Add the expo dependency to an elixir app/ Run Grype.

Hi @supersimple , would you be able to expand how to do this? ...maybe provide a sample file or some command line steps to create one that's causing the issue?

Hi. The project I am working on is closed source, so I cannot share that with you, but this was a scan using the anchore/scan-action GH action, configured with defaults. Any Elixir/Phoenix app should give this warning, or a mix app that uses the expo dependency from Hex. The issue seems to be that an iOS dependency by the same name has a CVE on early versions.

[monperrus]

For the record, Github SBOM are not compatible with Grype because of name mismatch, see

https://github.com/orgs/community/discussions/131104