This was logged as https://github.com/quay/clair/issues/852 but was closed due to bug bankruptcy.

Description of Problem / Feature Request

Clair scanner is flagging CVE-2016-4074 if container image contains jq 1.6-r0 even thoughthe NVD information for CVE-2016-4074 mentions that it is applicable in jq version <= 1.5.

Expected Outcome

As jq version 1.6-ro is not vulnerable as per CVE-2016-4074, it should not be shows as a finding.

Actual Outcome

Clair scanner is flagging CVE-2016-4074 if container image contains jq 1.6-r0 even thoughthe NVD information for CVE-2016-4074 mentions that it is applicable in jq version <= 1.5.

Environment

• Clair version/image: image: quay.io/coreos/clair:v2.0.7
• Clair client name/version: Clairctl version 1.2.8
• Host OS: CentOS 7
• Kernel (e.g. uname -a): Linux <> 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
• Kubernetes version (use kubectl version): NA. Using docker-compose.
• Helm version (use helm version): NA.
• Network/Firewall setup: No restrictions.