Possible False Positive for CVE-2016-1000027 #879
Labels
bug
Something isn't working
changelog-ignore
Don't include this issue in the release changelog
false-positive
Comments
wagoodman
changed the title
|
This is a duplicate of #773 |
tgerla
added
the
changelog-ignore
|
This class of problems should be fixed now that we have adjusted our vulnerability matching method as described here: https://anchore.com/blog/say-goodbye-to-false-positives/ -- I'll go ahead and close this issue but please feel free to re-open if you find more false positives, or if this one is still affecting your images. Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
I checked my docker image with syft and grype. The following vulnerability was reported:
spring-core 5.3.15 java-archive CVE-2016-1000027 Critical
What you expected to happen:
If I understabd it correct this is not an vulnerability of spring core. It is based on deserialization of untrusted data in Java as stated here: spring-projects/spring-framework#24434 (comment)
How to reproduce it (as minimally and precisely as possible):
Use spring-boot-starter 2.5.9
Anything else we need to know?:
Environment:
Application: grype
Version: 0.46.0
Syft Version: v0.53.4
BuildDate: 2022-08-04T14:48:21Z
GitCommit: c755c73
GitDescription: v0.46.0
Platform: linux/amd64
GoVersion: go1.18.4
Compiler: gc
Supported DB Schema: 4
The text was updated successfully, but these errors were encountered: