bug(redhat): Trivy doesn't skip vulnerability from CVE-ID if package version is not affected for RHSA-ID of this vulnerability #8061
Labels
kind/bug
Categorizes issue or PR as related to a bug.
scan/vulnerability
Issues relating to vulnerability scanning
Milestone
Description
There are cases when both CVE-ID and RHSA-ID contain info about vulnerable package for same CPE.
![изображение](https://private-user-images.githubusercontent.com/91113035/393145491-2cca2c6a-19de-4bf2-bb57-11651dfdb259.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzYxNjMyMzcsIm5iZiI6MTczNjE2MjkzNywicGF0aCI6Ii85MTExMzAzNS8zOTMxNDU0OTEtMmNjYTJjNmEtMTlkZS00YmYyLWJiNTctMTE2NTFkZmRiMjU5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTAxMDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwMTA2VDExMjg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTU3MTZkMzViNmEzMTk3YTJhYjdiOWUxNThiM2YwMzQzNTE3NTFmODM0ODgzYTYzNzU3ZjhlMzE5NGI3ODg1MDUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.FfoIKigoEEaZNQC36wWknGx-E2S28o_7i6alGMUf9Yk)
![изображение](https://private-user-images.githubusercontent.com/91113035/393145538-be00f3cf-e31f-4bb5-b097-e780f5ec9720.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzYxNjMyMzcsIm5iZiI6MTczNjE2MjkzNywicGF0aCI6Ii85MTExMzAzNS8zOTMxNDU1MzgtYmUwMGYzY2YtZTMxZi00YmI1LWIwOTctZTc4MGY1ZWM5NzIwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTAxMDYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwMTA2VDExMjg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWIyOGJlOTAzNzRjMzFjNTVjZGM2MTFlM2NmNjEwYWM3ZDc0ZWE4NjI5MTFlYjg1MjJiYWY0MDA0ODFlNDk4YjcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.QZdbZ5R7BI9n5zYa1QxKlKiPpTjkeSwdG2LKQg-EJV0)
e.g. CVE-2024-45491 and RHSA-2024:6989 (see
1714
)Trivy already has logic to avoid this issue:
trivy/pkg/detector/ospkg/redhat/redhat.go
Lines 147 to 155 in 983ac15
But it doesn't work if pkg.Version > fixedVersion from RHSA.:
Discussed in #8059
The text was updated successfully, but these errors were encountered: