False Positive: GHSA-pxwf-m68q-gmw8 (CVE-2023-2004)

[jhk-15]

What happened:
After running GYPE Scans on a Container, we found the results for this Vulnerability's Severity to be "Unknown." Research online shows this to not be a Vulnerability.

What you expected to happen:
We expected results for Severity to read back as "Critical," "High," "Moderate," or "Low."

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

• Output of grype version:
• OS (e.g: cat /etc/os-release or similar):

[willmurphyscode]

Hi @jhk-15 thanks for the issue!

Without more information, I cannot investigate. Are you seeing it on a distro package, like a deb or RPM? If so, on which distro and package? Are you able to make a Dockerfile that produces this issue when the image is built? Are you able to point to a publicly available artifact that has this problem when Grype scans it?

A general answer might be: When grype finds a vulnerability, it reports severity based on the matcher that found it. For example, if you are scanning an Ubuntu image, and Grype finds a vulnerability in a dpkg, it will use the severity Canonical assigned.

I don't see info at NVD or GHSA: https://nvd.nist.gov/vuln/detail/cve-2023-2004 shows that this CVE is "rejected" and GHSA-pxwf-m68q-gmw8 shows that it is "unreviewed".

Also, you call this a "false positive" which means a "Grype is complaining about a vulnerability but the artifact scanned is not really vulnerable," but I think you're really saying, "Grype finds a vulnerability that is really present, but reports the wrong severity." Is that right?