Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

JRuby distribution identifying JRuby binary with version 1.0 #4494

New issue
New issue
Open
Open
JRuby distribution identifying JRuby binary with version 1.0#4494
Labels
bugSomething isn't working
@sekveaja

Description

@sekveaja
sekveaja
opened on Dec 15, 2025

What happened:

Run grype on container that has Jruby binary, the tool report many CVEs on it.

NAME   INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS          RISK
JRuby  1.0        1.6.5.1   binary  CVE-2011-4838        Medium    7.3% (91st)   3.6
JRuby  1.0                  binary  CVE-2012-5370        Medium    0.6% (68th)   0.3
JRuby  1.0                  binary  CVE-2010-1330        Medium    0.4% (61st)   0.2

What you expected to happen:

The image is using JRuby version 9.4.9.0 (3.1.4) , in theory, it is an updated version.
Some how the tool detects some version 1.0 which lead to generate vulnerability.
Which is false in this case.

How to reproduce it (as minimally and precisely as possible):

Please do the following to reproduce the problem, very simple:

  1. Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6

ADD https://repo1.maven.org/maven2/org/jruby/jruby-dist/9.4.14.0/jruby-dist-9.4.14.0-bin.tar.gz /tmp
RUN mkdir -p /opt/logstash/vendor/jruby/ && tar -xzf /tmp/jruby-dist-9.4.14.0-bin.tar.gz -C /opt/logstash/vendor/jruby/ && rm /tmp/jruby-dist-9.4.14.0-bin.tar.gz

ENTRYPOINT [""]
CMD ["bash"]
  1. Build an image from Dockerfile
    $ docker build -t "suse15.5_jruby_9.4.9:v1" .
  1. Test with Grype tp reproduce the problem
$ grype  --distro sles:15.6 suse15.5_jruby_9.4.9:v1

NAME   INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS          RISK
JRuby  1.0        1.6.5.1   binary  CVE-2011-4838        Medium    7.3% (91st)   3.6                           <-- issue reproduce
JRuby  1.0                  binary  CVE-2012-5370        Medium    0.6% (68th)   0.3                              <--issue reproduce
JRuby  1.0                  binary  CVE-2010-1330        Medium    0.4% (61st)   0.2                               <--issue reproduce
  1. Run Syft
$ syft suse15.5_jruby_9.4.9:v1 | grep -i ruby

JRuby                                   1.0                                       binary        (+1 duplicate)
cparse-jruby                            UNKNOWN                                   java-archive
jruby                                   UNKNOWN                                   binary
jruby-base                              9.4.14.0                                  java-archive
jruby-core                              9.4.14.0                                  java-archive
jruby-openssl                           0.15.4                                    gem
jruby-openssl                           0.15.4                                    java-archive
jruby-readline                          1.3.7                                     gem
jruby-readline                          1.3.7                                     java-archive
ruby2_keywords                          0.0.5                                     gem
rubygems-update                         3.6.3                                     gem

Environment:

  • Output of grype version:
    grype 0.104.0

  • OS (e.g: cat /etc/os-release or similar):

NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions