False positive for CVE-2024-52308 when gh (GitHub CLI) version 2.62.0 and above is installed #9915
Replies: 2 comments 3 replies
-
|
Hello @benglewis Which Ubuntu version are you using for the image? Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
|
I am not using the Ubuntu apt repository, but instead the official |
Beta Was this translation helpful? Give feedback.
-
|
I guess you installed |
Beta Was this translation helpful? Give feedback.
-
|
This solution looks great. It sounds like you have understood the issue and that it is wider than my specific example and you have found a solution that should fix many other potential false-positives. Thank you! 🤩 |
Beta Was this translation helpful? Give feedback.
-
|
This is a known issue, but we haven't found a good solution. My solution is still not the best, but it should work. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
IDs
CVE-2024-52308
Description
Trivy incorrect reports that the
ghCLI installed from the GitHub official apt repository is vulnerable to GHSA-p2h2-3vg9-4p87 despite it being a more recent version than 2.62.0 which is marked as the fix version in the official GitHub Security Advisory . It looks like this is because the affected software is incorrectly only labelled as being Cli when installed from GitHub and not Gh on Ubuntu (which when installed from the official apt repository is safe).Please fix this
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Target OS
Ubuntu 24.04
Debug Output
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions