Multiple False Positive CVEs

[OfriOuzan]

What happened:
In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives.
What you expected to happen:
We expected Grype not to report on these CVEs.
How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>

• Output of grype version:
  Application: grype
  Version: 0.41.0
  Syft Version: v0.50.0
  BuildDate: 2022-07-06T15:20:18Z
  GitCommit: 0e0a9d9
  GitDescription: v0.41.0
  Platform: linux/amd64
  GoVersion: go1.18.3
  Compiler: gc
  Supported DB Schema: 4

Cases

#1 - Ghost

• Container Details:
  https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore

• OS (e.g: cat /etc/os-release):
  PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"

• CVEs
  CVE-1999-0082
  Grype wrongly identified CVE-1999-0082 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json
  The ftp npm package version is 0.3.10.
  However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftpd service and not the ftp npm package).
  CVE-1999-0201
  Grype wrongly identified CVE-1999-0201 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/ftp/package.json
  The ftp npm package version is 0.3.10.
  However, according to the debian website, the vulnerability is related to data pre-dating the Security Tracker (I think ftp server and not the ftp npm package).
  CVE-2004-2761
  Grype wrongly identified CVE-2004-2761 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/md5/package.json"
  The md5 npm package version is 2.3.0
  However, according to the debian website, this is a general MD5 weakness, and doesn't need to be tracked package-wise.
  CVE-2006-1611
  Grype wrongly identified CVE-2006-1611 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/archiver/package.json
  The archiver npm package version is 5.3.1
  However, according to the debian website, the vulnerability is related to the KGB Archiver.
  CVE-2015-9529
  Grype wrongly identified CVE-2015-9529 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/stripe/package.json
  The stripe package version is 8.215.0
  However, according to the debian website, the vulnerability is related to the Stripe WordPress plugin.
  CVE-2019-10743
  Grype wrongly identified CVE-2019-10743 as vulnerable.
  The path it identified is:
  /usr/local/lib/node_modules/ghost-cli/node_modules/archiver/package.json
  The archiver package version is 5.3.1
  However, according to the debian website, the vulnerability is not connected to debian (NOT-FOR-US).
  CVE-2021-24478
  Grype wrongly identified CVE-2021-24478 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/bookshelf/package.json
  The bookshelf package version is 1.2.0
  However, according to the debian website (and NVD), the vulnerability is the bookshelf Wordpress plugin
  CVE-2021-29940
  Grype wrongly identified CVE-2021-29940 as vulnerable.
  The path it identified is:
  /usr/local/lib/node_modules/ghost-cli/node_modules/through/package.json
  The opener package version is 2.3.8
  However, according to the debian website, the vulnerability is related to the Rust crate through

#2 - Jenkins

• Container Details:
  https://hub.docker.com/layers/jenkins/jenkins/2.358/images/sha256-01600c1acde3391286945f775f2e5b2366f9b96fbe012a3ffa5159073c0c6392?context=explore

• OS (e.g: cat /etc/os-release):
  PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"

• CVEs
  CVE-2018-1000052
  Grype wrongly identified fmtlib CVE-2018-1000052 as vulnerable.
  There is no fmtlib package in the container, however, there is a commons-jelly-tags-fmt file that has 1.0 version and Grype was mistaken because it leaning on the cpe "cpe:2.3:a:fmt:fmt::::::::"
  According to this link, commons-jelly-tags-fmt does not have versions in use that are higher than 1.0.0.

#3 - Kibana

• Container Details:
  https://hub.docker.com/layers/kibana/library/kibana/8.3.2/images/sha256-51635619b14a0f3a764f39c4c51d527304d8c33fbda05d72652b18255639122b?context=explore

• OS (e.g: cat /etc/os-release):
  NAME="Ubuntu"
  VERSION="20.04.4 LTS (Focal Fossa)"
  ID=ubuntu
  ID_LIKE=debian
  PRETTY_NAME="Ubuntu 20.04.4 LTS"
  VERSION_ID="20.04"
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  VERSION_CODENAME=focal
  UBUNTU_CODENAME=focal

• CVEs
  CVE-2006-1611
  Grype wrongly identified CVE-2006-1611 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/archiver/package.json
  The archiver npm package version is 5.3.1
  However, according to the debian website, the vulnerability is related to the KGB Archiver.
  CVE-2019-10743
  Grype wrongly identified CVE-2019-10743 as vulnerable.
  The path it identified is:
  /usr/local/lib/node_modules/ghost-cli/node_modules/archiver/package.json
  The archiver package version is 5.3.1
  However, according to the debian website, the vulnerability is not connected to debian (NOT-FOR-US).
  CVE-2020-10743
  Grype wrongly identified CVE-2020-10743 as vulnerable.
  The path it identified is:
  /usr/share/kibana/package.json
  However, according to the https://www.cve.org/CVERecord?id=CVE-2020-10743 website, the vulnerability is not related to the kibana npm package.
  CVE-2021-29940
  Grype wrongly identified CVE-2021-29940 as vulnerable.
  The path it identified is:
  /usr/local/lib/node_modules/ghost-cli/node_modules/through/package.json
  The opener package version is 2.3.8
  However, according to the debian website, the vulnerability is related to the ‘Rust crate through’ package
  CVE-2022-0323
  Grype was the only one that correctly identified CVE-2022-0323 as vulnerable.
  The path it identified is:
  /usr/share/kibana/node_modules/mustache/package.json
  The mustache npm package version is 2.3.2
  Affected versions: Up to (Excluding) 2.14.1
  However, according to nvd and snyk the affected mustache package is a composer php package and not npm.

#4 - Neo4j

• Container Details:
  https://hub.docker.com/layers/library/neo4j/4.4.8/images/sha256-d7cb5bde33a15197f45ca2f8a701de059c9e33cc6b59a7d7a02c180462ea98c0?context=explore

• OS (e.g: cat /etc/os-release):
  PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"

• CVEs
  CVE-2020-35864
  Grype wrongly identified CVE-2020-35864 as vulnerable.
  According to the Debian website: NOT-FOR-US: flatbuffers rust crate.
  According to Snyk vulnerability, the package is related to cargo.

#5 - Solr

• Container Details:
  https://hub.docker.com/layers/library/solr/9.0.0/images/sha256-a75d693dcc9b978f8f35cdad3f775ad09dd3020e1920871a1fb167655a19e888?context=explore

• OS (e.g: cat /etc/os-release):
  PRETTY_NAME="Ubuntu 22.04 LTS"
  NAME="Ubuntu"
  VERSION_ID="22.04"
  VERSION="22.04 LTS (Jammy Jellyfish)"
  VERSION_CODENAME=jammy
  ID=ubuntu
  ID_LIKE=debian
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  UBUNTU_CODENAME=jammy

• CVEs
  CVE-2013-2192, CVE-2015-7430, CVE-2016-5001, CVE-2017-3161, CVE-2017-3162
  Grype wrongly identified hadoop CVE-2013-2192, CVE-2015-7430, CVE-2016-5001, CVE-2017-3161, CVE-2017-3162 as vulnerable.
  Grype finds the hadoop version as: 1.1.1.
  According to ubuntu: This CVE does not apply to software in Ubuntu archives.
  I could not find any results for this cve on snyk vulnerabilities db website.
  CVE-2015-4035
  Grype identified java xz CVE-2015-4035 as vulnerable.
  Affected versions are: Up to (including) 4.999.9beta.
  Grype finds the following path: /opt/solr-9.0.0/modules/extraction/lib/xz-1.9.jar, the content of the: /opt/solr-9.0.0/licenses/xz-NOTICE.txt
  Contains the following:
  XZ for Java 1.0 (2011-10-22)
  http://tukaani.org/xz/java.html
  According to nvd affected cpes are: cpe:2.3:a:tukaani:xz::beta::::::*
  The vulnerability is a maven vulnerability and when I searched on snyk vulnerability db, I found that the 1.9 version is not affected by any vulnerability.
  According to this link, the 1.9 version is the last version of the package that exists on the container.
  According to a closed issue in dependency check tool:
  There is a false positive for Tukaani XZ:
  xz-1.8.jar (cpe:/a:tukaani:xz:1.8, org.tukaani:xz:1.8) : CVE-2015-4035
  The CVE refers to Tukaani itself. But org.tukaani.xz is a Java library that has a separate versioning system (https://tukaani.org/xz/java.html).
  CVE-2022-25647
  Grype wrongly identified com.google.code.gson:gson CVE-2022-25647
  as vulnerable. According to nvd, affected com.google.code.gson:gson versions are Up to (excluding) 2.8.9.
  Actual version: 2.8.9
  The path I found is:
  /opt/solr-9.0.0/modules/extraction/lib/gson-2.8.9.jar
  When I extracted the file i found the following pom.xml file:
  META-INF/maven/com.google.code.gson/gson/pom.xml
  That contains the following strings:
  gson-parent
  2.8.9
  The path grype identify is: "/opt/solr-9.0.0/modules/gcs-repository/lib/google-http-client-gson-1.41.0.jar"
  Then, wrongly compares the identifying path with the affected versions.
  According to this link, the 1.41.0 is not one of the gson package versions.

#6 - Sonarqube

• Container Details:
  https://hub.docker.com/layers/library/sonarqube/9.5.0-community/images/sha256-2f102e5b91abb39db22da3d2efca1eaccdd919923355b6e42edc3c522e3aa235?context=explore

• OS (e.g: cat /etc/os-release):
  NAME="Alpine Linux"
  ID=alpine
  VERSION_ID=3.14.6
  PRETTY_NAME="Alpine Linux v3.14"
  HOME_URL="https://alpinelinux.org/"
  BUG_REPORT_URL="https://bugs.alpinelinux.org/"

• CVEs
  326 cves
  Grype wrongly identified maven php vulnerabilities as vulnerable.
  The path it identified is:
  pkg:maven/org.sonarsource.php/[email protected]
  The php maven version is 3.23.1.8766.
  However, I only see that these vulnerabilities are connected to php and not to the maven php, I searched for results in snyk vulnerabilities db and did not find any connection to maven.
  Another thing, according to my searches, there is no php 3.23.1.8766 version.
  (For example:
  CVE-2002-2215
  CVE-2003-0442
  CVE-2004-0542
  CVE-2004-0958
  CVE-2004-0959
  CVE-2004-1018
  CVE-2006-3011
  CVE-2006-3017
  CVE-2006-5178
  CVE-2006-5465
  CVE-2006-5706
  CVE-2006-7243)

[westonsteimel]

Thanks for these reports @OfriOuzan! This is going to be extremely helpful for something we should have ready shortly to track grype matching quality against a labeled set of true-positive and false-positive matches across a variety of images. Specifically the labelling data correlates to specific image shas, so including those in your report is perfect for helping us extend that data set!

[OfriOuzan]

Hi, attaching a few more misidentified CVEs from the same research we believe we misidentified for different reasons:

What happened:
In a Vulnerability Scanner Benchmark Research we are conducting, we executed Grype on 20 different containers and found out that Grype has multiple False Positives.
In this comment we have tried to highlight misidentification stemming from reasons unrelated to CPE mismatches.

What you expected to happen:
We expected Grype not to have these mismatches.

How to reproduce it (as minimally and precisely as possible):
Install the Docker Images (from the links below) and execute Grype using the following command:
grype <container_name> —-output json > <output_file_path>

Output of grype version:
Application: grype
Version: 0.41.0
Syft Version: v0.50.0
BuildDate: 2022-07-06T15:20:18Z
GitCommit: 0e0a9d9
GitDescription: v0.41.0
Platform: linux/amd64
GoVersion: go1.18.3
Compiler: gc
Supported DB Schema: 4

Examples include:

• 93 cves
  In the following container images:
  Drupal
  NextCloud
  Wordpress
  Grype wrongly associated linux-libc-dev with CVEs affecting the linux kernel. Some of
  the vulnerabilities identified are associated with a much older kernel version the the

1. linux-libc-dev versionthat exist in the container (for example CVE-2005-3660 in the drupal container), but we think the problem is more fundamental in nature from two main reasons:
2. linux-libc-dev does not contain the relevant code for the identified vulnerabilities. In fact, it only contains header files.
   Even if it did, flagging kernel vulnerabilities from within containers doesn’t really serve a purpose for the user since the kernel version relevant for kernel vulnerabilities should be the external kernel version (the one running on the host). Even in the rare case in which the linux-libc-dev or linux-libc version on the container matches the kernel version on the host, upgrading libc on the container will not solve the problem as the libc code that will be used as part of the normal container operation will be the libc version of the host.

• CVE-2021-38561
  Grype did not identify CVE-2021-38561 as vulnerable.
  According to https://pkg.go.dev/vuln/GO-2021-0113 the affected golang.org/x/text/language versions are 0.3.7 and earlier.
  The found dependency is: golang.org/x/text dependency version 0.3.6 in the consul elf file.
  dep golang.org/x/text v0.3.6

• CVE-2020-8565
  Grype did not identify CVE-2020-8565 as vulnerable.
  According to https://pkg.go.dev/vuln/GO-2021-0064 the affected k8s.io/client-go/transport versions are v0.20.0-alpha.2 and earlier.
  The found dependency is: k8s.io/client-go dependency version 0.18.2 in the consul elf file.
  dep k8s.io/client-go v0.18.2

• CVE-2022-21698
  Grype did not identify CVE-2022-21698 as vulnerable.
  According to https://pkg.go.dev/vuln/GO-2022-0322 the affected package is github.com/prometheus/client_golang/prometheus/promhttp and the affected versions are v1.11.1 and earlier.
  The identified dependency is: github.com/prometheus/client_golang in the consul file with the v1.4.0 version.
  dep github.com/prometheus/client_golang v1.4.0

• CVE-2022-28948
  Grype did not identify CVE-2022-28948 as vulnerable.
  According to NVD, affected versions are all Go-Yaml v3.
  According to https://pkg.go.dev/vuln/ the affected package is gopkg.in/yaml.v3, affected versions range is: from v3.0.0 before v3.0.1.
  The found dependency is: gopkg.in/yaml.v3 dependency version v3.0.0-20200313102051-9f266ea9e77c in the consul elf file.
  dep gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c.
  According to this website, the patch deployed on the 3.0.0 version, means that every other version of 3.0.0 (for example v3.0.0-20200313102051-9f266ea9e77c) is affected by the vulnerability.

• CVE-2021-20066
  Grype wrongly identified CVE-2021-20066 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/jsdom/package.json
  The jsdom package version is 18.1.1
  However, according to the debian website, the vulnerability is disputed by the upstream.

• CVE-2022-32210
  Grype did not identify CVE-2022-32210 as vulnerable.
  The identified path is:
  /var/lib/ghost/versions/5.2.4/node_modules/undici/package.json
  The undici package version is 5.4.0
  Affected versions: From (including) 4.8.2 Up to (excluding) 5.5.1

• CVE-2017-16137
  Grype did not identify CVE-2017-16137 as vulnerable.
  The identified path is:
  /var/lib/ghost/versions/5.2.4/node_modules/brute-knex/node_modules/debug/package.json
  The debug package version is 4.1.1
  According to NVD , the vulnerability affected versions are from (including) 2.0.0 up to (excluding) 2.6.9 and From (including) 3.0.0 Up to (excluding) 3.1.0
  The debug versions I found on the container are: 0.1.17, 2.6.9, 3.1.0, 3.2.7, 4.1.1, 4.3.4
  However, according to this link, the vulnerability that was fixed in the f53962e was accidentally introduced in 7116906.
  So, the updated affected versions range is from (including) 2.0.0 up to (excluding) 2.6.9, from (including) 3.0.0 up to (excluding) 3.1.0, and from (including) 4.0.0 up to (excluding) 4.3.1.

• CVE-2022-2191
  Grype wrongly identified jetty CVE-2022-2191 as vulnerable.
  The actual version they both found is 9.4.46.v20220331, the affected versions are From (including) 10.0.0 Up to (including) 10.0.9 and from (including) 11.0.0 up to (including) 11.0.9. The version is not within the affected range.
  Also, according to this link, a contributor of jetty project mentioned that jetty versions 9.x are not affected by this vulnerability.

• CVE-2012-5783
  Grype did not identify commons-httpclient CVE-2012-5783 as vulnerable.
  The actual version found is 3.1: /var/jenkins_home/war/WEB-INF/lib/commons-httpclient-3.1-jenkins-3.jar
  Affected versions are up to 3.1-10.1.
  The version is within the affected range.

• CVE-2022-32210
  Grype did not identify CVE-2022-32210 as vulnerable.
  The path it identified is:
  /var/lib/ghost/versions/5.2.4/node_modules/undici/package.json
  The undici package version is 4.14.1
  Affected versions: from (including) 4.8.2 up to (excluding) 5.5.1

• CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32223
  Grype did not identify the following cves as vulnerable:
  CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32223.
  I found this file /usr/share/kibana/node/bin/node and when executing the path with -v it prints the 16.14.2 version.
  Then we found on the docker file the following command: COPY /usr/share/kibana /usr/share/kibana.

• CVE-2020-3810
  Grype did not identify CVE-2020-3810 as vulnerable.
  The affected package is apt and the version identified is: 2.0.9.
  According to NVD, the affected versions are: up to (excluding) 2.1.2.
  According to Ubuntu, the fixed version for focal distribution is: 2.0.2ubuntu0.1.
  The actual version is 2.0.9.
  The fixed commit in apt lists the fixed versions and 2.0.9 is not one of them.

• CVE-2022-24769
  Grype did not identify the runc CVE-2022-24769 as vulnerable.
  The runc CVE-2022-24769 affected versions are: Up to (excluding) 1.1.2, fixed 1.6.6~ds1-1.
  https://githubrecord.com/issue/tianon/gosu/109/1137647723
  Using strings on the gosu elf file, we found that the file has a dependency of runc version 1.0.1.
  It is strange that Grype which identified runc vulnerabilities did not identify these ones.

• CVE-2022-24823
  Grype did not identify netty CVE-2022-24823 as vulnerable. According to NVD, affected netty versions areUp to (excluding) 4.1.77.
  Actual version: 4.1.68.Final
  According to ubuntu:Jammy - Needs triage.

• CVE-2021-42377
  Grype did not identify CVE-2021-42377 as vulnerable.
  The affected busybox versions range is: 1.33.0 and 1.33.1.
  According to NVD, the affected cpe is: cpe:2.3:a:busybox:busybox:1.33.1:::::::*
  The actual version is: 1.33.1-r7.

• CVE-2022-21476
  Grype did not identify CVE-2022-21476 as vulnerable.
  The ncurses-libs affected versions range for Alpine 3.14 is: Up to (excluding) 6.2_p20210612-r1.
  The actual version is: 6.2_p20210612-r0.

• CVE-2022-28506
  Grype did not identify CVE-2022-28506 as vulnerable.
  The giflib affected version is: 5.2.1 vulnerable.
  The actual version is: 5.2.1-r0.

• CVE-2022-29458
  Grype did not identify CVE-2022-29458 as vulnerable.
  The ncurses-libs affected version is: 6.3 before patch 20220416.
  The actual version is: 6.2_p20210612-r0.

• CVE-2020-28491
  Grype did not identify CVE-2020-28491 as vulnerable.
  The jackson-dataformats-binary affected version is: Up to (excluding) 2.11.4.
  The actual version is: 2.10.4.

• CVE-2022-2068
  Grype did not identify CVE-2022-2068 as vulnerable.
  The openssl affected versions range is: From (including) 1.1.1 Up to (excluding) 1.1.1p.
  The actual version is: 1.1-1.1.1n-r0.
  According to security alpine and the alpine secdb, we assume that all openssl versions of Alpine 3.14 are affected by the vulnerability.

• CVE-2022-21476, CVE-2022-21496, CVE-2022-21426, CVE-2022-21434, CVE-2022-21443
  Grype did not identify CVE-2022-21476, CVE-2022-21496, CVE-2022-21426, CVE-2022-21434, CVE-2022-21443 as vulnerable.
  The actual version is: 11.0.14_p9-r0.
  According to the Alpine security advisory, the cpe for 11.0.14 is: cpe:2.3:a:oracle:jre:11.0.14:::::::*
  Means that all versions of 11.0.14 are affected by these vulnerabilities.

• CVE-2021-42376, CVE-2021-42379, CVE-2021-42373, CVE-2021-42381, CVE-2021-42382, CVE-2021-42374, CVE-2021-42386, CVE-2021-42384, CVE-2021-42383, CVE-2021-42385, CVE-2021-42380, CVE-2021-42378, CVE-2022-28391, CVE-2021-42375.
  Grype did not identify cves as vulnerable:
  CVE-2021-42376, CVE-2021-42379, CVE-2021-42373, CVE-2021-42381, CVE-2021-42382, CVE-2021-42374, CVE-2021-42386, CVE-2021-42384, CVE-2021-42383, CVE-2021-42385, CVE-2021-42380, CVE-2021-42378, CVE-2022-28391, CVE-2021-42375.
  According to NVD affected busybox versions range is: From (including) 1.16.0.Up to (excluding) 1.34.0.
  According to this website: https://security.alpinelinux.org/srcpkg/busybox
  One of the resolved cves for the Alpine 1.14 busybox 1.33.1-r8 version is CVE-2021-42376.
  The actual version is: 1.33.1-r7

• CVE-2020-0478
  Grype did not identify CVE-2020-0478 as vulnerable.
  The affected package is: aom.
  The affected version range: bullseye - 1.0.0.errata1-3 vulnerable
  The actual version is: 1.0.0.errata1-3.

• CVE-2022-27191
  Grype did not identify CVE-2022-27191 as vulnerable.
  According to https://pkg.go.dev/vuln/GO-2021-0356, affected package is golang.org/x/crypto/ssh affected versions are Up to (excluding) 0.0.0-20220314234659-1baeb1ce4c0b.
  The found dependency is: golang.org/x/crypto dependency version v0.0.0-20210513164829-c07d793c2f9a in the consul elf file.
  dep golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
  crypto uses an ssh version from May 2021 which is before March 2022.

The Containers used in the research were:

Container	Version	Link
Jenkins	2.358	https://hub.docker.com/layers/jenkins/jenkins/2.358/images/sha256-01600c1acde3391286945f775f2e5b2366f9b96fbe012a3ffa5159073c0c6392?context=explore
Drupal	9.4.2	https://hub.docker.com/layers/library/drupal/9.4.2/images/sha256-b370968f989cddff5c0581d8093d65be8e0733176fe987d946114a11ada047d8?context=explore
MariaDB	1:10.8.3+maria~jammy	https://hub.docker.com/layers/library/mariadb/10.8.3/images/sha256-0a6ed934c1518abff64ed856b06f44006b4498b115941e19bbd910bd62a12232?context=explore
NextCloud	24.0.2	https://hub.docker.com/layers/library/nextcloud/24.0.2/images/sha256-f414023e31cfe6b157e76648c8ad021aab5491cbbb28f96939ae6dd874729ace?context=explore
Redis	7.0.2	https://hub.docker.com/layers/library/redis/7.0.2/images/sha256-31120dcdd310e9a65cbcadd504f4fe60a185bd634ab7c6a35e3e44a941904d97?context=explore
Tomcat	10.0.22	https://hub.docker.com/layers/library/tomcat/10.0.22/images/sha256-71444268934d60df07205e89f1f7a66df2852c7712063b8fa921828c94f169f6?context=explore
Wordpress	6.0	https://hub.docker.com/layers/library/wordpress/6.0.0-php7.4-fpm/images/sha256-ab9da08aca4576011afaa990295581b9f34ece4b1a0ce827a734264547064498?context=explore
Rabbitmq	3.10.5	https://hub.docker.com/layers/rabbitmq/library/rabbitmq/latest/images/sha256-45b2855afa95e7d483b4850bec8a5484031b94f9c72d5476a3900b7788a8fc74?context=explore
Ghost	5.2.4	https://hub.docker.com/layers/library/ghost/5.2.4/images/sha256-42137b9bd1faf4cdea5933279c48a912d010ef614551aeb0e44308600aa3e69f?context=explore
Memcached	1.6.15	https://hub.docker.com/layers/library/memcached/1.6.15/images/sha256-1fb5662239cfb3d632efd4df609caff38f0bac3e78bd0cf6db038d5a6a818147?context=explore
Postgres	14.4-1.pgdg110+1	https://hub.docker.com/layers/library/postgres/14.4/images/sha256-cf3b0cf1dde2a82542e4b9de7f3ad058fdc819dea6499007035b838542b0bd5e?context=explore
Httpd	2.4.54	https://hub.docker.com/layers/library/httpd/2.4.54/images/sha256-facd7a9ef4225c56d531cc2d1c26a0576edf417fb6d49f2f1b279994a8387666?context=explore
Consul	1.12.2	https://hub.docker.com/layers/library/consul/1.12.2/images/sha256-a1a933572cb6f6388501c535af455f77e687c62ff97ed72cd16301b8b535eae0?context=explore
Nginx	1.23.0	https://hub.docker.com/layers/library/nginx/1.23.0/images/sha256-33cef86aae4e8487ff23a6ca16012fac28ff9e7a5e9759d291a7da06e36ac958?context=explore
MySQL	8.0.29-1debian11	https://hub.docker.com/layers/library/mysql/8.0.29-debian/images/sha256-3a7e864bc88458911fa598065fe027736fa63495f5780ee0618caeb4a52bbc4c?context=explore
Mongo	5.0.9	https://hub.docker.com/layers/library/mongo/5.0.9/images/sha256-4b58442ec48034662c5581405a24755bdd80730535ccb98e262b6f5ed76c7017?context=explore
Sonarqube	9.5.0.56709	https://hub.docker.com/layers/library/sonarqube/9.5.0-community/images/sha256-2f102e5b91abb39db22da3d2efca1eaccdd919923355b6e42edc3c522e3aa235?context=explore
Kibana	8.3.2	https://hub.docker.com/layers/kibana/library/kibana/8.3.2/images/sha256-51635619b14a0f3a764f39c4c51d527304d8c33fbda05d72652b18255639122b?context=explore
Neo4j	4.4.8	https://hub.docker.com/layers/library/neo4j/4.4.8/images/sha256-d7cb5bde33a15197f45ca2f8a701de059c9e33cc6b59a7d7a02c180462ea98c0?context=explore
Solr	9.0.0	https://hub.docker.com/layers/library/solr/9.0.0/images/sha256-a75d693dcc9b978f8f35cdad3f775ad09dd3020e1920871a1fb167655a19e888?context=explore

[tgerla]

This class of problems should be fixed now that we have adjusted our vulnerability matching method as described here: https://anchore.com/blog/say-goodbye-to-false-positives/ -- I'll go ahead and close this issue but please feel free to re-open if you find more false positives, or if this one is still affecting your images. Thanks!