Displaying disputed CVE

levpachmanov commented 1 week ago

What happened: I scanned the latest CentOS 7 docker docker image:

> grype -q centos:centos7 | grep CVE-2019-1010022
glibc                        2.17-317.el7           (won't fix)               rpm   CVE-2019-1010022  Critical  
glibc-common                 2.17-317.el7           (won't fix)               rpm   CVE-2019-1010022  Critical

What you expected to happen: CVE-2019-1010022 was disputed, as it's not a vulnerability. References:

https://sourceware.org/bugzilla/show_bug.cgi?id=22850 - "As of today this issue is not considered a security issue"
https://access.redhat.com/security/cve/cve-2019-1010022 - rated with score 0

How to reproduce it (as minimally and precisely as possible): Scan the latest CentOS 7 container - grype -q centos:centos7 | grep CVE-2019-1010022

Anything else we need to know?: No

Environment: grype 0.81.0

kzantow commented 3 days ago

Hey @levpachmanov -- thanks for the report. We tried to reproduce this, but it seems the latest Grype is correctly excluding this vulnerability. As such, I'm going to close this issue, but please do let us know if you continue to see the problem!

levpachmanov commented 2 days ago

@kzantow it was resolved, thank you!

anchore / grype

Displaying disputed CVE #2202