certifi dependency false positive. #482
Labels
Comments
|
Hi @xanderstevenson thanks for the report, I'm afraid the false positive is an issue with grype scanner. anchore/grype#1430, anchore/grype#1417 and anchore/grype#1172 are still open issues in grype. |
|
Thank you for your contribution! This issue has been automatically marked as |
|
@xanderstevenson @FrimIdan, looks like it was solved in anchore/grype#1510 and present in v0.69.1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
In Cisco Code Exchange, the following vulnerability was found.
certifi | 2023.7.22 | 2023.07.22 | requirements.txt | GHSA-xqr8-7jwr-rhp7 |
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
-- | -- | -- | -- | -- | --
What you expected to happen:
User updated certifi to 2023.07.22. Repo was rescanned and vulnerability alert still exisits.
How to reproduce it (as minimally and precisely as possible):
Scan GitHUb repo for Code Exchange and set certifi version to 2023.7.22 or 2023.07.22
Are there any error messages in KubeClarity logs?
(e.g.
kubectl logs -n kubeclarity --selector=app=kubeclarity)Unknown
Anything else we need to know?:
Environment:
kubectl version --short):helm version):kubectl -n kubeclarity exec deploy/kubeclarity -- ./backend version)helm -n kubeclarity list)The text was updated successfully, but these errors were encountered: