cdupuis
commented
5 months ago @gergelyfabian, thanks for raising this. No, this isn't intentional. Do you have an example for us to investigate?
Closed gergelyfabian closed 4 months ago
cdupuis
commented
5 months ago @gergelyfabian, thanks for raising this. No, this isn't intentional. Do you have an example for us to investigate?
gergelyfabian
commented
5 months ago I have debugged this further. One reason was that I was only looking at critical cves. These are for other levels. Then, I believe I could not see them because those are transitive CVEs.
E.g. oci==2.68.0 has cryptography as its dependency, and that package has a CVE (that is properly detected by docker scout).
cdupuis
commented
4 months ago Please re-open if you are still seeing issues with CVE reports on pip packages.
It seems
docker scout sbomfinds pip packages (typepypi). However security vulnerabilities are not reported for them (fordocker scout cves). Is this intentional?