As of a few days ago I started seeing Inspector findings related to by Ubuntu 20.04 LTS EC2 instances that appear to be false positives.
For instance, CVE-2022-29217 was addressed by python3-jwt:1.7.1-2ubuntu2.1 (per https://ubuntu.com/security/CVE-2022-29217). The patched package version is installed on my instance. Why is the inspector finding still triggering?
There are some other similar python package false-positives I am seeing.
Additional info: for this specific finding, the file path is /usr/lib/python3/dist-packages/PyJWT-1.7.1.egg-info/PKG-INFO. It seems that other findings / false positives related to python packages are based on the egg-info file. The security update didn't bump the python3-jwt version or the egg-info details, it only bumped the ubuntu package from 1.7.1-2ubuntu2 to 1.7.1-2ubuntu2.1.
AWS OFFICIALAktualisiert vor 2 Jahren