Open alexsuter opened 6 months ago
I think it's because gitlab has the wrong versions ranges, where as github has the correct ones?
Thanks for reporting; looks like this is related to Scout, which is currently closed source, and not maintained in this repository. Issues related to scout are best reported in https://github.com/docker/scout-cli.
I'll transfer this ticket to that issue tracker 👍
Description
Docker scout treats jgroups@3.6.20.Final as vulnerable and reports that 4.0 has fixed the issue. But the CVE fix has been backported to 3.6.10 which is described in the CVE report in docker scout itself:
https://scout.docker.com/vulnerabilities/id/CVE-2016-2141/org/axonivy
Reproduce
Add jgroups 3.6.20 to the image and analyze it with docker scout.
Expected behavior
jgroups 3.6.20 should not be reported as vulnerable
docker version
docker info
Additional Info
No response