Scan matches on similarly named package, but from different ecosystem

[supersimple]

What happened:
I was alerted to a CVE issue on a package (from Hex) that has a similar name to a vulnerable package available in the iOS ecosystem. They are unrelated packages.

What you expected to happen:
I was expecting not to receive a failure

How to reproduce it (as minimally and precisely as possible):
Add the expo dependency to an elixir app/ Run Grype.

Anything else we need to know?:
I am including a screenshot from the GH action output

Environment:

• Output of grype version:
  • [info] using release tag='v0.74.4' version='0.74.4' os='linux' arch='amd64'
• OS (e.g: cat /etc/os-release or similar):
• [info] using release tag='v0.74.4' version='0.74.4' os='linux' arch='amd64'

[kzantow]

Add the expo dependency to an elixir app/ Run Grype.

Hi @supersimple , would you be able to expand how to do this? ...maybe provide a sample file or some command line steps to create one that's causing the issue?

[supersimple]

Add the expo dependency to an elixir app/ Run Grype.

Hi @supersimple , would you be able to expand how to do this? ...maybe provide a sample file or some command line steps to create one that's causing the issue?

Hi.
The project I am working on is closed source, so I cannot share that with you, but this was a scan using the anchore/scan-action GH action, configured with defaults. Any Elixir/Phoenix app should give this warning, or a mix app that uses the expo dependency from Hex.
The issue seems to be that an iOS dependency by the same name has a CVE on early versions.