You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: if we modify the "referenceLocator": "cpe:2.3:a:gnupg:gnupg:2.2.41-1:*:*:*:*:*:*:*" field in the SBOM to show 2.2.41, rather than 2.2.41-1, this is not flagged for CVE-2022-3515.
The SemVer matcher is treating the -1 at the end as a pre-release, so we probably want to do is add an ALPM version object (similar to Alpine, which has things like -r1) which understands how to compare without this being treated as a pre-release. See: https://github.com/anchore/grype/blob/main/grype/version/apk_constraint.go
What happened:
The following sbom file results in
gnupg 2.2.41-1
being flagged for CVE-2022-3515:What you expected to happen:
This should not have been flagged. Per NIST, v2.2.41 is not affected.
How to reproduce it (as minimally and precisely as possible):
Take the above sbom, and run a
grype sbom:my-sbom.json
.Anything else we need to know?:
Possibly related to #1158?
To generate the original sbom, we ran
syft
against msys2-base--x86_64-20230526Environment:
The text was updated successfully, but these errors were encountered: