False positives?

Have a look at https://github.com/citizensadvice/fluentd-docker/security/code-scanning/30, the [CVE](https://nvd.nist.gov/vuln/detail/CVE-2022-48174) is about busybox < 1.35 , and busybox is on 1.35.0-r29 (and so is ssl_client) ... interestingly when running grype on an image built in the same way locally, I don't get this issue.