From 9b02ce06e5ce2a9955e01b3d37bc401af12c7832 Mon Sep 17 00:00:00 2001
From: Weston Steimel <weston.steimel@anchore.com>
Date: Thu, 3 Aug 2023 17:59:13 +0000
Subject: [PATCH] chore: adjust CVE-2008-1145 for Ruby Webrick to FP (#86)

https://nvd.nist.gov/vuln/detail/CVE-2008-1145 currently uses ruby
versions in the webrick CPE, leading to incorrect matches.  It should
really look more like https://nvd.nist.gov/vuln/detail/CVE-2009-4492 and
I have submitted an update request to NVD for it.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---
 .../26eda503-0920-4cdc-951c-3fa0a7c1a92f.json                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/labels/docker.io+gitlab+gitlab-ce@sha256:04d4219d5dfb3acccc9997e50477c8d24b371387a95857e1ea8fc779e17a716c/26eda503-0920-4cdc-951c-3fa0a7c1a92f.json b/labels/docker.io+gitlab+gitlab-ce@sha256:04d4219d5dfb3acccc9997e50477c8d24b371387a95857e1ea8fc779e17a716c/26eda503-0920-4cdc-951c-3fa0a7c1a92f.json
index b9decb22..bf64e661 100644
--- a/labels/docker.io+gitlab+gitlab-ce@sha256:04d4219d5dfb3acccc9997e50477c8d24b371387a95857e1ea8fc779e17a716c/26eda503-0920-4cdc-951c-3fa0a7c1a92f.json
+++ b/labels/docker.io+gitlab+gitlab-ce@sha256:04d4219d5dfb3acccc9997e50477c8d24b371387a95857e1ea8fc779e17a716c/26eda503-0920-4cdc-951c-3fa0a7c1a92f.json
@@ -1 +1 @@
-{"ID": "26eda503-0920-4cdc-951c-3fa0a7c1a92f", "effective_cve": "CVE-2008-1145", "image": {"exact": "docker.io/gitlab/gitlab-ce@sha256:04d4219d5dfb3acccc9997e50477c8d24b371387a95857e1ea8fc779e17a716c"}, "label": "TP", "package": {"name": "webrick", "version": "1.6.1"}, "timestamp": "2022-12-09T21:03:25+00:00", "tool": "grype@v0.53.1", "user": "westonsteimel", "vulnerability_id": "CVE-2008-1145"}
\ No newline at end of file
+{"ID": "26eda503-0920-4cdc-951c-3fa0a7c1a92f", "effective_cve": "CVE-2008-1145", "image": {"exact": "docker.io/gitlab/gitlab-ce@sha256:04d4219d5dfb3acccc9997e50477c8d24b371387a95857e1ea8fc779e17a716c"}, "label": "FP", "note": "Only affects webrick 1.3.1 as bundled in very old ruby releases.  The NVD entry erroneously added the ruby versions in the webrick CPE.  Correction submitted, so hopefully they'll update it", "package": {"name": "webrick", "version": "1.6.1"}, "timestamp": "2022-12-09T21:03:25+00:00", "tool": "grype@v0.53.1", "user": "westonsteimel", "vulnerability_id": "CVE-2008-1145"}
\ No newline at end of file