trivy: Trivy detects CVE-2018-14721 on wrong versions of jackson-databind
Trivy detects jackson in a docker image but fails to take the version into account
The CVE mentions FasterXML jackson-databind 2.x before 2.9.7
but the contents of the docker image is jackson-*-2.10.3
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 1
- Comments: 17 (9 by maintainers)
Muchas gracias maestro maquina !!!
works for me 😉
@afdesk In my opinion you can close the issue. However, it was originally from @jvitrifork and I have no idea if his problem is solved.
@afdesk That is great! I updated and tried it out. Thanks a lot! I wish you all the best in 2022.
I now unzipped the JAR and searched for the offending names:
So it seems that ehcache sort of repackages the offending libraries. I cannot say yet from which version the repackaged class files are.
So as an intermediate request to trivy I’d like to propose to print out the path to the offending library.