Redhat CVEs marked as not-fixed -- but Redhat says they are addressed?

[kmeekva]

Just trying out SCOUT -- looks like a great tool.

But when I scan an image based on Redhat 8 it finds vulnerabilities like this one -- identified as Not Fixed:

pkg:rpm/redhatlinux/openssl@1:1.1.1k-9.el8_7?os_name=redhatlinux&os_version=8

✗ HIGH CVE-2023-0286 [Access of Resource Using Incompatible Type ('Type Confusion')]
  https://dso.docker.com/cve/CVE-2023-0286
  Affected range : >=0
  Fixed version  : not fixed
  CVSS Score     : 7.4
  CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

However, Redhat says it addressed the issue: with the version of the RPM we have installed: The Redhad CVE page: https://access.redhat.com/security/cve/cve-2023-0286 Refers to https://access.redhat.com/errata/RHSA-2023:1405 Which on the update tab says that the CVE was addressed with version: openssl-1.1.1k-9.el8_7.x86_64.rpm

Which I think is the version identified in the scout output: pkg:rpm/redhatlinux/openssl@1:1.1.1k-9.el8_7?

Is there something I need to do to get updated CVE database for the scout scans?

The docker cve page: https://dso.docker.com/cve/CVE-2023-0286 Was last updated 3 months ago -- maybe that is the issue? It has not been updated with Redhat solution?

Kevin

[cdupuis]

@kmeekva, thanks for raising this. I can see that we are currently behind processing the RedHat advisory data. The required update is now in our data processing pipeline and will show up soon. I'll report back once we have confirmation that the data has been updated.

[cdupuis]

@kmeekva, the advisory data has now caught up and this CVE should not get reported any longer on your image. Would you be able confirm this by running the docker scout command again?

[kmeekva]

@cdupuis, I can confirm it is no longer showing that as vulnerability. Thanks for the quick attention to this.
Closing the issue.

[cdupuis]

👍🏽 Thanks for reporting back!