Closed gergelyfabian closed 4 months ago
@gergelyfabian, thanks for raising this. No, this isn't intentional. Do you have an example for us to investigate?
I have debugged this further. One reason was that I was only looking at critical cves. These are for other levels. Then, I believe I could not see them because those are transitive CVEs.
E.g. oci==2.68.0 has cryptography as its dependency, and that package has a CVE (that is properly detected by docker scout).
Please re-open if you are still seeing issues with CVE reports on pip packages.
It seems
docker scout sbom
finds pip packages (typepypi
). However security vulnerabilities are not reported for them (fordocker scout cves
). Is this intentional?