Wrong version of git causes false positive in Jenkins docker image scan #3663
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
I run this cmd to scan my docker Jenkins image based on Debian.
syft docker.io/jenkins/jenkins:2.488 -o cyclonedx-json=sbom.syft.json
there are 13 vulnerabilities reported for git.
here is the git version generated:
**1:**2.39.5-0+deb12u1
What you expected to happen:
The version is wrong, it should be "2.39.5-0+deb12u1", without "1:"
for example, CVE-2024-32465 and CVE-2023-25652 are reported, but they should be fixed in this version:
https://security-tracker.debian.org/tracker/CVE-2024-32465
https://security-tracker.debian.org/tracker/CVE-2023-25652
Steps to reproduce the issue:
syft docker.io/jenkins/jenkins:2.488 -o cyclonedx-json=sbom.syft.json
and upload the json into dependency track website.
Anything else we need to know?:
aquasecurity trivy didn't report the false positive for the same docker image.
If I manually create a git component in dependency track and with the correct version number, it won't report any vulns.
Environment:
Output of
syft version:Application: syft
Version: 1.18.1
BuildDate: 2024-12-13T18:41:10Z
GitCommit: 5e16e50
GitDescription: v1.18.1
Platform: linux/amd64
GoVersion: go1.23.4
Compiler: gc
OS (e.g:
cat /etc/os-releaseor similar):PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Thanks.
The text was updated successfully, but these errors were encountered: