future-architect / vuls

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
https://vuls.io/
GNU General Public License v3.0
11k stars 1.16k forks source link

False positives, when OS version does not match #1297

Open echo-hey opened 3 years ago

echo-hey commented 3 years ago

Hello! My system is running on Debian 9 (Stretch) and I’m using Vuls 0.12.3. Encountered strange Vuls behavior.

First, it says that bind9 version 1:9.11.5.P4+dfsg-5.1+deb10u5 is vulnerable to CVE-2018-5740. However, Debian security tracker says the opposite. image Possible reason – that version of bind9 made for Debian 10 (Buster), but I do not sure. image

Second, vuls says, that squid3 version 3.5.23-5+deb9u7 is vulnerable to CVE-2021-33620. However, Debian security tracker says the opposite. image Possible reason – that version of squid3 made for Stretch-security. image

I would really appreciate any help with explanation, cause sometimes I have a huge number of false positives.

kotakanbe commented 3 years ago

Hi, @Basilious5

We do not support older versions of Vuls, please make sure you have the latest version of Vuls to try. Please let me know if this happens with the latest version.