False Positive dotnet NLog - CVE-1999-1278

[snakefoot]

What happened:
Scanner report:

NAME                        INSTALLED                 FIXED-IN  TYPE       VULNERABILITY     SEVERITY   
NLog                        5.0.5                               dotnet     CVE-1999-1278     High        

What you expected to happen:

• CVE-1999-1278 for NLog-CGI-scripts should not be reported for NLog-dotnet (Notice dotnet NLog v1.0 was released 2006, little after 1999)

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

[tgerla]

Hi @snakefoot, sorry for the very long delay replying. We have made a bunch of improvements in various area here. Are you in a position to try to reproduce this false positive on the latest version of Grype? We would be happy to look into it. Or, we can just close this issue. Thanks!

[snakefoot]

@tgerla Believe the issue was reported by a NLog user, and I was just the messenger. Feel free to close the issue if NLog-dotnet is no longer reported as security issue.

[willmurphyscode]

Hi @snakefoot, thanks for the update. Since we don't have a direct report that this is still happening, and since most of our cross-ecosystem false positives (like thinking a dotnet library was vulnerable to a vulnerability disclosed about some perl CGI scripts) were fixed by turning off CPE matching by default (see https://anchore.com/blog/say-goodbye-to-false-positives/) I'm going to close the issue.

If you find out this is still an issue, please feel free to re-open or file a new report. Thanks!