What happened: Grype claims that libzmq-4.3.3-r0, inside an alpine container, is vulnerable to CVE-2021-20236. (Original libzmq issue for reference.) The vuln is fixed in 4.3.3, and Alpine's versioning scheme means that 4.3.3-r0 > 4.3.3 which is opposite of how semver would sort them.

What you expected to happen: libzmq-4.3.3-r0 should not be reported as vulnerable.

How to reproduce it (as minimally and precisely as possible): grype gcr.io/ironcore-images/tenant-security-proxy:3.0.0

Anything else we need to know?: This looks like another instance of #427. I originally encountered it in the results of a scan from anchore-engine, before finding that issue here in grype.

Environment:

• Output of grype version:

  Application:          grype
  Version:              0.32.0
  Syft Version:         v0.36.0
  BuildDate:            2022-01-20T18:48:06Z
  GitCommit:            3ba7e56e42fddca0fd944986596068e429d448fa
  GitTreeState:         clean
  Platform:             darwin/amd64
  GoVersion:            go1.16.13
  Compiler:             gc
  Supported DB Schema:  3
  

• OS (e.g: cat /etc/os-release or similar): MacOS 12.1