False Positive: CVE-2021-22696 Apache Cxf-Xjc-Runtime vs Apache Cxf #1333
Labels
bug
Something isn't working
changelog-ignore
Don't include this issue in the release changelog
false-positive:cpe
This issue is a report of a false positive cause by CPE matching
What happened:
Using Apache cxf-xfc-runtime version 3.3.1
"package_cpe23": "cpe:2.3:a:apache:cxf-xjc-runtime:3.3.1:::::::*",
"package_path": "/opt/jboss/keycloak/modules/system/layers/base/org/apache/cxf/impl/main/cxf-xjc-runtime-3.3.1.jar",
Reported: CVE-2021-22696 on NVD
"criteria": "cpe:2.3:a:apache:cxf::::::::"
Grype reports vulnerability CVE-2021-22696 related to Apache CXF.
Apache CXF and Apache CXF XFC Runtime are different application.
Therefore, it is a false positive.
What you expected to happen:
Should not reported apache:cxf-xjc-runtime to apache:cxf.
Environment:
grype version
: 0.61.1cat /etc/os-release
or similar): SLES 15 SP4The text was updated successfully, but these errors were encountered: