openjdk-*: CVE-2024-20932 is a false positive (#5184)

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
wolfi-dev · Jun 5, 2024 · 11ea2a0 · 11ea2a0
1 parent b3af477
commit 11ea2a0
Show file tree

Hide file tree

Showing 10 changed files with 900 additions and 850 deletions.
diff --git a/openjdk-10.advisories.yaml b/openjdk-10.advisories.yaml
@@ -4,12 +4,30 @@ package:
   name: openjdk-10
 
 advisories:
-  - id: CGA-x553-263x-w5r4
+  - id: CGA-3c74-2v6w-g9p4
     aliases:
-      - CVE-2023-21930
-      - GHSA-4j35-7cr4-3mc8
+      - CVE-2024-21085
+      - GHSA-273j-fjrx-gf2f
     events:
-      - timestamp: 2024-03-31T13:27:52Z
+      - timestamp: 2024-04-19T13:09:12Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: openjdk-10-doc
+            componentID: 1dcdbfaef83f18d0
+            componentName: openjdk-10-doc
+            componentVersion: 10.0.2-r4
+            componentType: apk
+            componentLocation: /.PKGINFO
+            scanner: grype
+
+  - id: CGA-5326-5723-p8q6
+    aliases:
+      - CVE-2023-22041
+      - GHSA-rgxf-494f-377c
+    events:
+      - timestamp: 2024-03-31T13:43:26Z
         type: detection
         data:
           type: scan/v1
@@ -22,12 +40,12 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-qgpm-xhx2-5pjp
+  - id: CGA-5mgx-7pq5-5qf6
     aliases:
-      - CVE-2023-21937
-      - GHSA-vr26-5f5w-r829
+      - CVE-2023-25193
+      - GHSA-v8ff-vmc3-wr4m
     events:
-      - timestamp: 2024-03-31T13:28:23Z
+      - timestamp: 2024-03-31T13:46:51Z
         type: detection
         data:
           type: scan/v1
@@ -40,6 +58,24 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
+  - id: CGA-5r87-8qp7-jmrv
+    aliases:
+      - CVE-2024-21094
+      - GHSA-g3wm-f7gr-3fwh
+    events:
+      - timestamp: 2024-04-19T13:09:14Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: openjdk-10-doc
+            componentID: 1dcdbfaef83f18d0
+            componentName: openjdk-10-doc
+            componentVersion: 10.0.2-r4
+            componentType: apk
+            componentLocation: /.PKGINFO
+            scanner: grype
+
   - id: CGA-5x4h-8frw-6cx4
     aliases:
       - CVE-2023-21938
@@ -76,12 +112,12 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-qxm6-59qp-ccpf
+  - id: CGA-85fg-mp4w-g52f
     aliases:
-      - CVE-2023-21954
-      - GHSA-8x3h-4f64-v6v6
+      - CVE-2024-20945
+      - GHSA-qj64-r5h2-w6f9
     events:
-      - timestamp: 2024-03-31T13:35:32Z
+      - timestamp: 2024-04-13T07:42:34Z
         type: detection
         data:
           type: scan/v1
@@ -94,12 +130,12 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-wfxh-c4fv-4383
+  - id: CGA-9wqr-4rqq-hj29
     aliases:
-      - CVE-2023-21967
-      - GHSA-wg7x-fvjp-r3fx
+      - CVE-2024-20919
+      - GHSA-vgxv-38wx-r77w
     events:
-      - timestamp: 2024-03-31T13:38:54Z
+      - timestamp: 2024-04-13T07:42:29Z
         type: detection
         data:
           type: scan/v1
@@ -112,12 +148,12 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-j5qg-p276-q8fq
+  - id: CGA-hjgc-m4pq-g9mg
     aliases:
-      - CVE-2023-21968
-      - GHSA-r6j2-4r52-mpg7
+      - CVE-2024-20926
+      - GHSA-hjh6-9v4w-w32w
     events:
-      - timestamp: 2024-03-31T13:41:30Z
+      - timestamp: 2024-04-13T07:42:32Z
         type: detection
         data:
           type: scan/v1
@@ -130,12 +166,12 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-5326-5723-p8q6
+  - id: CGA-j5qg-p276-q8fq
     aliases:
-      - CVE-2023-22041
-      - GHSA-rgxf-494f-377c
+      - CVE-2023-21968
+      - GHSA-r6j2-4r52-mpg7
     events:
-      - timestamp: 2024-03-31T13:43:26Z
+      - timestamp: 2024-03-31T13:41:30Z
         type: detection
         data:
           type: scan/v1
@@ -148,23 +184,28 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-5mgx-7pq5-5qf6
+  - id: CGA-p98q-52v3-j278
     aliases:
-      - CVE-2023-25193
-      - GHSA-v8ff-vmc3-wr4m
+      - CVE-2024-20932
+      - GHSA-ccwc-jrj7-h4v6
     events:
-      - timestamp: 2024-03-31T13:46:51Z
+      - timestamp: 2024-05-24T07:39:10Z
         type: detection
         data:
           type: scan/v1
           data:
-            subpackageName: openjdk-10-demos
-            componentID: 2817ff019ab111ef
-            componentName: openjdk-10-demos
+            subpackageName: openjdk-10
+            componentID: b66851eb096d6998
+            componentName: openjdk-10
             componentVersion: 10.0.2-r4
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
+      - timestamp: 2024-06-05T12:27:37Z
+        type: false-positive-determination
+        data:
+          type: vulnerable-code-version-not-used
+          note: NVD record says the affected version is 17.0.9, not a version range.
 
   - id: CGA-phgm-jqj3-mcpq
     aliases:
@@ -184,19 +225,19 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-9wqr-4rqq-hj29
+  - id: CGA-q8qx-j943-3vgq
     aliases:
-      - CVE-2024-20919
-      - GHSA-vgxv-38wx-r77w
+      - CVE-2024-21011
+      - GHSA-7qqv-8pwc-x4xc
     events:
-      - timestamp: 2024-04-13T07:42:29Z
+      - timestamp: 2024-04-19T13:09:05Z
         type: detection
         data:
           type: scan/v1
           data:
-            subpackageName: openjdk-10-demos
-            componentID: 2817ff019ab111ef
-            componentName: openjdk-10-demos
+            subpackageName: openjdk-10-doc
+            componentID: 1dcdbfaef83f18d0
+            componentName: openjdk-10-doc
             componentVersion: 10.0.2-r4
             componentType: apk
             componentLocation: /.PKGINFO
@@ -220,12 +261,12 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-hjgc-m4pq-g9mg
+  - id: CGA-qgpm-xhx2-5pjp
     aliases:
-      - CVE-2024-20926
-      - GHSA-hjh6-9v4w-w32w
+      - CVE-2023-21937
+      - GHSA-vr26-5f5w-r829
     events:
-      - timestamp: 2024-04-13T07:42:32Z
+      - timestamp: 2024-03-31T13:28:23Z
         type: detection
         data:
           type: scan/v1
@@ -238,37 +279,37 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-p98q-52v3-j278
+  - id: CGA-qxm6-59qp-ccpf
     aliases:
-      - CVE-2024-20932
-      - GHSA-ccwc-jrj7-h4v6
+      - CVE-2023-21954
+      - GHSA-8x3h-4f64-v6v6
     events:
-      - timestamp: 2024-05-24T07:39:10Z
+      - timestamp: 2024-03-31T13:35:32Z
         type: detection
         data:
           type: scan/v1
           data:
-            subpackageName: openjdk-10
-            componentID: b66851eb096d6998
-            componentName: openjdk-10
+            subpackageName: openjdk-10-demos
+            componentID: 2817ff019ab111ef
+            componentName: openjdk-10-demos
             componentVersion: 10.0.2-r4
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-85fg-mp4w-g52f
+  - id: CGA-v23c-37pf-v6xw
     aliases:
-      - CVE-2024-20945
-      - GHSA-qj64-r5h2-w6f9
+      - CVE-2024-21068
+      - GHSA-q4c6-w389-xqq6
     events:
-      - timestamp: 2024-04-13T07:42:34Z
+      - timestamp: 2024-04-19T13:09:09Z
         type: detection
         data:
           type: scan/v1
           data:
-            subpackageName: openjdk-10-demos
-            componentID: 2817ff019ab111ef
-            componentName: openjdk-10-demos
+            subpackageName: openjdk-10-doc
+            componentID: 1dcdbfaef83f18d0
+            componentName: openjdk-10-doc
             componentVersion: 10.0.2-r4
             componentType: apk
             componentLocation: /.PKGINFO
@@ -292,24 +333,6 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-q8qx-j943-3vgq
-    aliases:
-      - CVE-2024-21011
-      - GHSA-7qqv-8pwc-x4xc
-    events:
-      - timestamp: 2024-04-19T13:09:05Z
-        type: detection
-        data:
-          type: scan/v1
-          data:
-            subpackageName: openjdk-10-doc
-            componentID: 1dcdbfaef83f18d0
-            componentName: openjdk-10-doc
-            componentVersion: 10.0.2-r4
-            componentType: apk
-            componentLocation: /.PKGINFO
-            scanner: grype
-
   - id: CGA-wcmw-97v5-xh38
     aliases:
       - CVE-2024-21012
@@ -328,55 +351,37 @@ advisories:
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-v23c-37pf-v6xw
-    aliases:
-      - CVE-2024-21068
-      - GHSA-q4c6-w389-xqq6
-    events:
-      - timestamp: 2024-04-19T13:09:09Z
-        type: detection
-        data:
-          type: scan/v1
-          data:
-            subpackageName: openjdk-10-doc
-            componentID: 1dcdbfaef83f18d0
-            componentName: openjdk-10-doc
-            componentVersion: 10.0.2-r4
-            componentType: apk
-            componentLocation: /.PKGINFO
-            scanner: grype
-
-  - id: CGA-3c74-2v6w-g9p4
+  - id: CGA-wfxh-c4fv-4383
     aliases:
-      - CVE-2024-21085
-      - GHSA-273j-fjrx-gf2f
+      - CVE-2023-21967
+      - GHSA-wg7x-fvjp-r3fx
     events:
-      - timestamp: 2024-04-19T13:09:12Z
+      - timestamp: 2024-03-31T13:38:54Z
         type: detection
         data:
           type: scan/v1
           data:
-            subpackageName: openjdk-10-doc
-            componentID: 1dcdbfaef83f18d0
-            componentName: openjdk-10-doc
+            subpackageName: openjdk-10-demos
+            componentID: 2817ff019ab111ef
+            componentName: openjdk-10-demos
             componentVersion: 10.0.2-r4
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
 
-  - id: CGA-5r87-8qp7-jmrv
+  - id: CGA-x553-263x-w5r4
     aliases:
-      - CVE-2024-21094
-      - GHSA-g3wm-f7gr-3fwh
+      - CVE-2023-21930
+      - GHSA-4j35-7cr4-3mc8
     events:
-      - timestamp: 2024-04-19T13:09:14Z
+      - timestamp: 2024-03-31T13:27:52Z
         type: detection
         data:
           type: scan/v1
           data:
-            subpackageName: openjdk-10-doc
-            componentID: 1dcdbfaef83f18d0
-            componentName: openjdk-10-doc
+            subpackageName: openjdk-10-demos
+            componentID: 2817ff019ab111ef
+            componentName: openjdk-10-demos
             componentVersion: 10.0.2-r4
             componentType: apk
             componentLocation: /.PKGINFO