You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
I am scanning a VM machine and getting vulnerabilities due to indirect match. however, the package which it points on doesn't exist in the machine, but other package with a different version.
for example:
when I look for the linux package in grype, I can't see it. A higher version of linux is installed in the machine.
I suspect the logic of upstream doesn't consider wether a higher version of linux \ kernel is installed and therefor we get lots of FP.
What you expected to happen:
validate a package exists in the SBOM before using the upstream.
How to reproduce it (as minimally and precisely as possible):
scan a machine of AWS and you will see it
Anything else we need to know?:
Environment:
Output of grype version: 0.85.0
OS (e.g: cat /etc/os-release or similar):ubuntu 24:04
The text was updated successfully, but these errors were encountered:
What happened:
I am scanning a VM machine and getting vulnerabilities due to indirect match. however, the package which it points on doesn't exist in the machine, but other package with a different version.
for example:
when I look for the linux package in grype, I can't see it. A higher version of linux is installed in the machine.
I suspect the logic of upstream doesn't consider wether a higher version of linux \ kernel is installed and therefor we get lots of FP.
What you expected to happen:
validate a package exists in the SBOM before using the upstream.
How to reproduce it (as minimally and precisely as possible):
scan a machine of AWS and you will see it
Anything else we need to know?:
Environment:
Output of grype version: 0.85.0
OS (e.g: cat /etc/os-release or similar):ubuntu 24:04
The text was updated successfully, but these errors were encountered: