You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Grype is hitting a false positive on the "vault" ruby gem which has the latest version of 0.6.0 ( https://rubygems.org/gems/vault/versions/0.6.0 ) - I am assuming it thinks that this is the Hashicorp Vault software installation.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
vault 0.17.0 1.6.3 gem CVE-2021-27668 Medium
vault 0.17.0 1.8.4, 1.8.4, 1.7.5, 1.7.5 gem CVE-2021-41802 Medium
vault 0.17.0 1.3.2 gem CVE-2020-7220 High
vault 0.17.0 1.7.1, 1.7.1, 1.6.4, 1.6.4 gem CVE-2021-27400 High
vault 0.17.0 1.7.2, 1.6.5, 1.5.9, 1.6.5, 1.7.2, 1.5.9 gem CVE-2021-32923 High
vault 0.17.0 1.8.0, 1.8.0 gem CVE-2021-38554 Medium
vault 0.17.0 1.5.7, 1.5.7, 1.6.2, 1.6.2 gem CVE-2021-3024 Medium
vault 0.17.0 1.4.2, 1.3.6, 1.4.2, 1.3.6 gem CVE-2020-13223 High
vault 0.17.0 1.2.5, 1.2.5, 1.3.8, 1.3.8, 1.4.4, 1.4.4, 1.5.1, 1.5.1 gem CVE-2020-16250 Critical
vault 0.17.0 1.5.7, 1.5.7, 1.6.2, 1.6.2 gem CVE-2020-25594 Medium
vault 0.17.0 1.0.0 gem CVE-2018-19786 High
vault 0.17.0 1.2.5, 1.3.8, 1.4.4, 1.5.1, 1.2.5, 1.3.8, 1.4.4, 1.5.1 gem CVE-2020-16251 Critical
What you expected to happen:
Grype should not be seeing a vault ruby gem and thinking it's
How to reproduce it (as minimally and precisely as possible):
An example of the Chef Development Kit Docker image we build and is failing the scan
Hi @isuftin, I'm no longer able to reproduce this. What I've tried:
making a Dockerfile just as in your original post (but adding --platform=linux/amd64 on the FROM line, since I am on M1 mac), and a requirements.txt just in case, and running docker build . -t grype898 in that directory. The apt-get install command fails, even after a bit of troubleshooting. Maybe some packages are no longer available?
making an empty ruby project that depends on the vault gem directly:
But in this directory, running bundle install, and then grype dir:. prints No vulnerabilities found.
If you believe this is still an issue, would you mind providing a link to an artifact that would let us reproduce it, such as a link to a public container image or repository that exhibits the false positive, or maybe a new Dockerfile or script that produces such an artifact? Thanks!
Hi @isuftin, thanks for reporting this issue! I haven't been able to reproduce it, so I'm marking it as closed. (Also, it seems possible it's a duplicate of #244). If you believe we should be investigating this issue specifically, would you mind providing steps on how we can reproduce it? Thanks!
What happened:
Grype is hitting a false positive on the "vault" ruby gem which has the latest version of 0.6.0 ( https://rubygems.org/gems/vault/versions/0.6.0 ) - I am assuming it thinks that this is the Hashicorp Vault software installation.
What you expected to happen:
Grype should not be seeing a vault ruby gem and thinking it's
How to reproduce it (as minimally and precisely as possible):
An example of the Chef Development Kit Docker image we build and is failing the scan
Just for completeness sake, requirements.txt:
Anything else we need to know?:
grype version
:cat /etc/os-release
or similar):This is being run on a GitLab runner within a Docker image we create for Grype using alpine:3.16
The text was updated successfully, but these errors were encountered: