False Positive: CVE-2023-42282 not affected in SUSE ecosystem. #1813
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on custom image and get this vulnerability reported:
ip 2.0.0 2.0.1 npm GHSA-78xj-cgh5-2h22 Medium
Issue: "GHSA-78xj-cgh5-2h22" ------> "CVE-2023-42282"
:
"locations": [
{
"path": "/usr/lib64/node_modules/npm18/node_modules/ip/package.json",
"layerID": "sha256:8cbcaaf005a84d63ae8755f21c3504fd224b9fcc1fa6ea021b30938e6065f3a9"
}
What you expected to happen:
As per SUSE Advisory, there is no CVE-2023-42282 found.
Therefore, the CVE is not apply for SUSE ecosystem.
Grype should not report this vulnerability.
It seems that vulnerability is solely based on NVD CPE regardless argument "--distro sles:15.5" is provided to Grype.
How to reproduce it (as minimally and precisely as possible):
Build a test SUSE image and install with this package npm18-18.18.2-150400.9.15.1.x86_64
Anything else we need to know?:
Environment:
grype version: grype 0.74.7cat /etc/os-releaseor similar):NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
The text was updated successfully, but these errors were encountered: