Amazon Inspector False Positives On Patched Ubuntu Python Packages

0

As of a few days ago I started seeing Inspector findings related to by Ubuntu 20.04 LTS EC2 instances that appear to be false positives. For instance, CVE-2022-29217 was addressed by python3-jwt:1.7.1-2ubuntu2.1 (per https://ubuntu.com/security/CVE-2022-29217). The patched package version is installed on my instance. Why is the inspector finding still triggering? There are some other similar python package false-positives I am seeing.

Additional info: for this specific finding, the file path is /usr/lib/python3/dist-packages/PyJWT-1.7.1.egg-info/PKG-INFO. It seems that other findings / false positives related to python packages are based on the egg-info file. The security update didn't bump the python3-jwt version or the egg-info details, it only bumped the ubuntu package from 1.7.1-2ubuntu2 to 1.7.1-2ubuntu2.1.

jstell
demandé il y a 9 mois68 vues
Aucune réponse

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions