Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PHP pecl redis mixes with redis project itself and creates false positive cve #1804

Open
shyim opened this issue Apr 14, 2024 · 0 comments
Open

PHP pecl redis mixes with redis project itself and creates false positive cve #1804

shyim opened this issue Apr 14, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@shyim
Copy link

shyim commented Apr 14, 2024

What happened:

Scanning a PHP docker image with Redis PHP extension shows s a lot of vulnerabilities.

redis                         6.0.2                 php-pecl   CVE-2022-24834       High
redis                         6.0.2                 php-pecl   CVE-2022-24735       High
redis                         6.0.2                 php-pecl   CVE-2021-41099       High
redis                         6.0.2                 php-pecl   CVE-2021-32762       High
redis                         6.0.2                 php-pecl   CVE-2021-32687       High
redis                         6.0.2                 php-pecl   CVE-2021-32675       High
redis                         6.0.2                 php-pecl   CVE-2021-32628       High
redis                         6.0.2                 php-pecl   CVE-2021-32627       High
redis                         6.0.2                 php-pecl   CVE-2021-32626       High
redis                         6.0.2                 php-pecl   CVE-2023-28856       Medium
redis                         6.0.2                 php-pecl   CVE-2023-25155       Medium
redis                         6.0.2                 php-pecl   CVE-2022-36021       Medium
redis                         6.0.2                 php-pecl   CVE-2022-35977       Medium
redis                         6.0.2                 php-pecl   CVE-2022-24736       Medium
redis                         6.0.2                 php-pecl   CVE-2021-32672       Medium
redis                         6.0.2                 php-pecl   CVE-2021-31294       Medium
redis                         6.0.2                 php-pecl   CVE-2023-45145       Low
redis                         6.0.2                 php-pecl   CVE-2022-3647        Low

these CVE are associated with the redis-server, not the PHP extension.

I have no idea if this is a problem of Grype, the vulnerability database 🤔

What you expected to happen:

Don't show these records

How to reproduce it (as minimally and precisely as possible):

grype shopware/docker-base:8.3

Anything else we need to know?:

Environment:

  • Output of grype version:
Application:         grype
Version:             0.75.0
BuildDate:           2024-04-04T16:02:59Z
GitCommit:           57af1c34cb7db17824eac983cc6ae6945db47c88
GitDescription:      v0.75.0
Platform:            linux/amd64
GoVersion:           go1.21.8
Compiler:            gc
Syft Version:        v1.1.1
Supported DB Schema: 5
  • OS (e.g: cat /etc/os-release or similar):
@shyim shyim added the bug Something isn't working label Apr 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shyim