False positive for package version appended with a release number (e.g. 1.5.1-r1) #427
Description
What happened:
We are receiving a false positive for linux-pam on version 1.5.1-r1 when using Alpine 3.14. The false positive is for CVE-2020-27780 and was fixed in version 1.5.1.
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
linux-pam 1.5.1-r1 1.5.1 CVE-2020-27780 Critical
What you expected to happen:
CVE should not be reported for this version of the package.
How to reproduce it (as minimally and precisely as possible):
Dockerfile
FROM alpine:3.14
RUN apk add --no-cache linux-pam=1.5.1-r1Build image
$> docker build . -t bug
Scan image
$> grype bug
Anything else we need to know?:
Environment:
- Output of
grype version:
Application: grype
Version: 0.20.0
Syft Version: v0.24.0
BuildDate: 2021-09-23T02:11:21Z
GitCommit: 1a7c9d177904756b820cea1044c8a5c452d8a4c3
GitTreeState: clean
Platform: darwin/amd64
GoVersion: go1.16.8
Compiler: gc
Supported DB Schema: 3
- OS (e.g:
cat /etc/os-releaseor similar):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.14.2
PRETTY_NAME="Alpine Linux v3.14"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"