Closed
Description
What happened:
I'm using syft to generate an sbom from a conan lockfile that grype can parse. Grype is definitely showing CVEs for other packages, but is not showing a known CVE for poco version 1.12.2.
What you expected to happen:
I expected grype to show CVE-2023-52389. I did a strings on the latest vulnerability db and it definitely has entries for that CVE.
How to reproduce it (as minimally and precisely as possible):
Have a sbom with a poco artifact, I think below is enough, scan it with grype sbom:path/to/file, verify that CVE-2023-52389 is not listed
{
"id": "a37410edbefd35aa",
"name": "poco",
"version": "1.12.2",
}
Anything else we need to know?:
Environment:
- Output of
grype version:
Application: grype
Version: 0.74.7
BuildDate: 2024-02-26T18:24:14Z
GitCommit: 987238519b8d6e302130ab715f20daed6634da68
GitDescription: v0.74.7
Platform: linux/amd64
GoVersion: go1.21.7
Compiler: gc
Syft Version: v0.105.1
Supported DB Schema: 5
- OS (e.g:
cat /etc/os-releaseor similar):
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Done