TYPO in a dependency fixed version #8146
Closed
Mati-Q-A
started this conversation in
False Detection
Replies: 2 comments 3 replies
-
The correct library is "1.5.13" |
Beta Was this translation helpful? Give feedback.
0 replies
-
Hello @Mati-Q-A @angelmunozh ➜ trivy -q rootfs ./logback-core-1.5.12.jar
Java (jar)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-core (logback-core-1.5.12.jar) │ CVE-2024-12798 │ MEDIUM │ fixed │ 1.5.12 │ 1.5.13 │ logback-core: arbitrary code execution via │
│ │ │ │ │ │ │ JaninoEventEvaluator │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12798 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────┤
│ │ CVE-2024-12801 │ LOW │ │ │ │ logback-core: SaxEventRecorder vulnerable to Server-Side │
│ │ │ │ │ │ │ Request Forgery (SSRF) attacks │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12801 │
└───────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘ Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
i'm using ch.qos.logback:logback-core in a project, and trivy detected a vulnerabilty, that's right, but the fixed version in the database is wrong, the final fixed version in maven central is 1.5.13 (https://mvnrepository.com/artifact/ch.qos.logback/logback-core/1.5.13) but trivy is looking for 1.15.13.
Pipeline log
Desired Behavior
Trivy must look for 1.5.13 fixed version
Actual Behavior
Trivy is looking for 1.15.13 fixed version
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
Table
Mode
Client/Server
Debug Output
Operating System
linux
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions