The issue seems to be with how Clair is scanning Jars. We have this transitive dependency tree:

org.apache.cxf:cxf-rt-ws-security:3.3.6 > net.sf.ehcache:ehcache:2.10.6 > com.fasterxml.jackson.core:jackson-databind:2.9.6

Even though our project overrides the jackson-databind lib and sets it to 2.12.3, the scanner is picking up the ehcache has a transitive dependency on an old version of jackson-databind. That is completely wrong and is going to get a lot of false positives. It’s up to the build tool (maven, gradle, etc.) to resolve dependency versions and the version of the libs is what’s in the packaged application, not what each artifact has in their own pom files. I think this could easily be reproduced by including ehcache:2.10.6 and jackson-databind 2.12.3 in the same container and scanning it. We were able to remove the false positive security vulnerabilities in the quay.io report by excluding the ehcache dependency entirely, even with the same jackson-databind libs. We are lucky that we don’t need ehcache so excluding it won’t be an issue. However, this bug is quite concerning and makes these reports very challenging to use.