When an image contains two different versions of the same package (eg. guava@29.0-jre and guava@31.0-jre) that contain the same CVEs, and you run the following command:
The issue is that the relationship between the rule (ie. CVE) and the purl is one-to-one in this output, when really a CVE can be present in more than one purl (in this case pkg:maven/com.google.guava/guava@29.0-jre and pkg:maven/com.google.guava/guava@31.0-jre).
The other problem is that the purl in the rule properties seems to be chosen at random leading to inconsistent results. In this example, when the scan is run multiple times, sometimes it picks guava@29.0-jre and other times it picks guava@31.0-jre. This inconsistency is exacerbated when the packages contain more than one CVE and some of the purls are one version, and others are the other version.
When an image contains two different versions of the same package (eg.
guava@29.0-jre
andguava@31.0-jre
) that contain the same CVEs, and you run the following command:the SARIF output will look something like the following (some properties omitted):
The issue is that the relationship between the rule (ie. CVE) and the
purl
is one-to-one in this output, when really a CVE can be present in more than onepurl
(in this casepkg:maven/com.google.guava/guava@29.0-jre
andpkg:maven/com.google.guava/guava@31.0-jre
).The other problem is that the
purl
in the rule properties seems to be chosen at random leading to inconsistent results. In this example, when the scan is run multiple times, sometimes it picksguava@29.0-jre
and other times it picksguava@31.0-jre
. This inconsistency is exacerbated when the packages contain more than one CVE and some of thepurl
s are one version, and others are the other version.