False Positive in RHACS between Apache httpclient and Ruby httpclient version 2.8.3
Environment
- Red Hat Advance Cluster Security (RHACS)
- 3.70
Issue
- False Positive vulnerability detected in RHACS for Ruby httpclient library affected with CVE-2020-13956 but it should be for Apache httpclient library.
- Both Apache and Ruby libraries are unrelated so having the Ruby version 2.8.3 should not qualify the image as a vulnerable for CVE-2020-13956, but after scanning the image containing ruby library shows below present in scan result output:
Component Version: 2.8.3
Location: opt/chef/embedded/lib/ruby/gems/3.0.0/specifications/httpclient-2.8.3.gemspec
Fixed In: 4.5.13
Resolution
- Currently engineering is working on consolidating RHACS with the Red Hat Quay Clair v4 scanner which will improve the security data that's consumed by ACS and avoid such false positives in the future. The timeframe for the Clair consolidation completion is early May 2023.
Root Cause
- This false positives are result of using NVD security data for scanning.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments