False positive for libtasn1-6 4.15.0-2 on debian buster

[bap2000]

As described here libtasn1-6 4.13-3 in buster is vulnerable

Install fixed version from bullseye as below

RUN /bin/echo -e 'deb http://deb.debian.org/debian bullseye main\ndeb http://deb.debian.org/debian bullseye-updates main' >> /etc/apt/sources.list && \
  apt update && \
  apt install libtasn1-6 && \
  sed -i -e '/bullseye/d' /etc/apt/sources.list && \
  apt update

Microscanner lists the newer fixed version in the report, but still marks it as vulnerable

[calebwoofenden]

I am seeing a similar issue with the following: https://nvd.nist.gov/vuln/detail/CVE-2018-0732 - updated OpenSSL to version 1.1.1d but vulnerability still appears https://nvd.nist.gov/vuln/detail/CVE-2018-1000021 - updated Git to version 2.25.0 but vulnerability still appears https://nvd.nist.gov/vuln/detail/CVE-2017-17522 - updated Python3 to version 3.7.4 but vulnerability still appears

I am running the scanner on Maven images from Docker Hub, which are running Debian. I'm using the following Dockerfile:

FROM maven:3-jdk-11

USER 0
RUN echo "deb http://http.us.debian.org/debian testing main" \
    >> /etc/apt/sources.list
RUN apt-get update
RUN apt-get -y install git

git can be replaced with openssl or python3 and the same issue can be observed.

I have to add the testing apt repository to get recent enough packages for these CVEs.

[ocofaigh]

Anyone have any joy with this? I just reported something similar: https://github.com/aquasecurity/microscanner/issues/47