NeuVector scanner results on scanner-test images: analysis and questions

[pohanhuang]

Problem

When integrating NeuVector's container scanner with the chainguard-images/scanner-test verification suite and wanted to share our findings and ask some questions. We also ran Trivy against the same images for comparison.

Results summary

• NeuVector: docker.io/neuvector/neuvector:latest with private build db
• Trivy: v0.67
  | Test image tag | Expected | NeuVector | Trivy |
  |---|---|---|---|
  | fixed-language-package-vulnerabilities-wolfi | 0 | 3 ❌ | 0 ✅ |
  | false-positive-language-package-vulnerabilities-wolfi | 0 | 46 ❌ | 43 ❌ |
  | false-positives-from-lock-files-wolfi | 0 | 40 ❌ | 38 ❌ |

(The -chainguard variants produce identical counts.)

Questions summary

1. Case 1 — The 37 OS CVEs via kubeflow-katib's o: field look valid to us. Is the expected 0 based on sub-package-level NOT_AFFECTED advisories we should be consuming?
2. Case 2 — Has ko been rebuilt with patched deps? Should we trust embedded build metadata or defer to advisory data?
3. Case 3 — All CVEs come from genuinely installed JARs and look valid. Is the expected 0 based on NOT_AFFECTED advisories? If so, where is the machine-readable feed?

---

Case 1: false-positives-from-lock-files — 40 CVEs, expected 0

scan output (vuls only)

{
 "Vuls": [
        {
            "Name": "CVE-2024-45337",
            "Score": 9,
            "Severity": "Critical",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r7",
            "ScoreV3": 9.1,
            "PublishedDate": "1733968927",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-45337"
            ],
            "DBKey": "chainguard:CVE-2024-45337",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-41110",
            "Score": 9,
            "Severity": "Critical",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r13",
            "ScoreV3": 9.9,
            "PublishedDate": "1721841311",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-41110"
            ],
            "DBKey": "chainguard:CVE-2024-41110",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-33186",
            "Score": 9,
            "Severity": "Critical",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r8",
            "ScoreV3": 9.1,
            "PublishedDate": "1774048605",
            "LastModifiedDate": "1775854157",
            "CVEs": [
                "CVE-2026-33186"
            ],
            "DBKey": "chainguard:CVE-2026-33186",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-34158",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r13",
            "ScoreV3": 7.5,
            "PublishedDate": "1725657312",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-34158"
            ],
            "DBKey": "chainguard:CVE-2024-34158",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-39689",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r0",
            "ScoreV3": 7.5,
            "PublishedDate": "1720206910",
            "LastModifiedDate": "1739578513",
            "CVEs": [
                "CVE-2024-39689"
            ],
            "DBKey": "chainguard:CVE-2024-39689",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-30204",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r14",
            "ScoreV3": 7.5,
            "PublishedDate": "1742595326",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-30204"
            ],
            "DBKey": "chainguard:CVE-2025-30204",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-3651",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r0",
            "ScoreV3": 7.5,
            "PublishedDate": "1720376109",
            "LastModifiedDate": "1762294562",
            "CVEs": [
                "CVE-2024-3651"
            ],
            "DBKey": "chainguard:CVE-2024-3651",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-32281",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r10",
            "ScoreV3": 7.5,
            "PublishedDate": "1775614563",
            "LastModifiedDate": "1776366957",
            "CVEs": [
                "CVE-2026-32281"
            ],
            "DBKey": "chainguard:CVE-2026-32281",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-34156",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r13",
            "ScoreV3": 7.5,
            "PublishedDate": "1725657312",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-34156"
            ],
            "DBKey": "chainguard:CVE-2024-34156",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-27140",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r10",
            "ScoreV3": 8.8,
            "PublishedDate": "1775614562",
            "LastModifiedDate": "1776367619",
            "CVEs": [
                "CVE-2026-27140"
            ],
            "DBKey": "chainguard:CVE-2026-27140",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-15558",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r6",
            "ScoreV3": 8,
            "PublishedDate": "1772644574",
            "LastModifiedDate": "1773077895",
            "CVEs": [
                "CVE-2025-15558"
            ],
            "DBKey": "chainguard:CVE-2025-15558",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-6345",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r0",
            "ScoreV3": 8.8,
            "PublishedDate": "1721006101",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-6345"
            ],
            "DBKey": "chainguard:CVE-2024-6345",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-23949",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r4",
            "ScoreV3": 8.6,
            "PublishedDate": "1768871757",
            "LastModifiedDate": "1773270739",
            "CVEs": [
                "CVE-2026-23949"
            ],
            "DBKey": "chainguard:CVE-2026-23949",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-32280",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r10",
            "ScoreV3": 7.5,
            "PublishedDate": "1775614563",
            "LastModifiedDate": "1776367002",
            "CVEs": [
                "CVE-2026-32280"
            ],
            "DBKey": "chainguard:CVE-2026-32280",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-61729",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r2",
            "ScoreV3": 7.5,
            "PublishedDate": "1764702951",
            "LastModifiedDate": "1766168728",
            "CVEs": [
                "CVE-2025-61729"
            ],
            "DBKey": "chainguard:CVE-2025-61729",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-47907",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r7",
            "ScoreV3": 7,
            "PublishedDate": "1754583330",
            "LastModifiedDate": "1769713910",
            "CVEs": [
                "CVE-2025-47907"
            ],
            "DBKey": "chainguard:CVE-2025-47907",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-22869",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r11",
            "ScoreV3": 7.5,
            "PublishedDate": "1740557664",
            "LastModifiedDate": "1746127700",
            "CVEs": [
                "CVE-2025-22869"
            ],
            "DBKey": "chainguard:CVE-2025-22869",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-32283",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r10",
            "ScoreV3": 7.5,
            "PublishedDate": "1775614563",
            "LastModifiedDate": "1776366730",
            "CVEs": [
                "CVE-2026-32283"
            ],
            "DBKey": "chainguard:CVE-2026-32283",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-22868",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r12",
            "ScoreV3": 7.5,
            "PublishedDate": "1740557664",
            "LastModifiedDate": "1746127630",
            "CVEs": [
                "CVE-2025-22868"
            ],
            "DBKey": "chainguard:CVE-2025-22868",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-24049",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r5",
            "ScoreV3": 7.1,
            "PublishedDate": "1769058983",
            "LastModifiedDate": "1771426608",
            "CVEs": [
                "CVE-2026-24049"
            ],
            "DBKey": "chainguard:CVE-2026-24049",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-23490",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r4",
            "ScoreV3": 7.5,
            "PublishedDate": "1768590979",
            "LastModifiedDate": "1773411574",
            "CVEs": [
                "CVE-2026-23490"
            ],
            "DBKey": "chainguard:CVE-2026-23490",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-61727",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r2",
            "ScoreV3": 6.5,
            "PublishedDate": "1764792985",
            "LastModifiedDate": "1766088910",
            "CVEs": [
                "CVE-2025-61727"
            ],
            "DBKey": "chainguard:CVE-2025-61727",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-34155",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r13",
            "ScoreV3": 4.3,
            "PublishedDate": "1725657311",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-34155"
            ],
            "DBKey": "chainguard:CVE-2024-34155",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-37891",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r0",
            "ScoreV3": 4.4,
            "PublishedDate": "1718655313",
            "LastModifiedDate": "1767718348",
            "CVEs": [
                "CVE-2024-37891"
            ],
            "DBKey": "chainguard:CVE-2024-37891",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-47914",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r1",
            "ScoreV3": 5.3,
            "PublishedDate": "1763586950",
            "LastModifiedDate": "1765481801",
            "CVEs": [
                "CVE-2025-47914"
            ],
            "DBKey": "chainguard:CVE-2025-47914",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-45341",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r9",
            "ScoreV3": 6.1,
            "PublishedDate": "1738030529",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-45341"
            ],
            "DBKey": "chainguard:CVE-2024-45341",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2023-45803",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r0",
            "ScoreV3": 4.2,
            "PublishedDate": "1697573710",
            "LastModifiedDate": "1762208188",
            "CVEs": [
                "CVE-2023-45803"
            ],
            "DBKey": "chainguard:CVE-2023-45803",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-22870",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r13",
            "ScoreV3": 4.4,
            "PublishedDate": "1741806938",
            "LastModifiedDate": "1776381392",
            "CVEs": [
                "CVE-2025-22870"
            ],
            "DBKey": "chainguard:CVE-2025-22870",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-35195",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r0",
            "ScoreV3": 5.6,
            "PublishedDate": "1716239709",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-35195"
            ],
            "DBKey": "chainguard:CVE-2024-35195",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-58181",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r1",
            "ScoreV3": 5.3,
            "PublishedDate": "1763586950",
            "LastModifiedDate": "1765481364",
            "CVEs": [
                "CVE-2025-58181"
            ],
            "DBKey": "chainguard:CVE-2025-58181",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-47081",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r6",
            "ScoreV3": 5.3,
            "PublishedDate": "1749492924",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-47081"
            ],
            "DBKey": "chainguard:CVE-2024-47081",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2026-32289",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.19.0-r10",
            "ScoreV3": 6.1,
            "PublishedDate": "1775614563",
            "LastModifiedDate": "1776366417",
            "CVEs": [
                "CVE-2026-32289"
            ],
            "DBKey": "chainguard:CVE-2026-32289",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-45338",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r8",
            "ScoreV3": 5.3,
            "PublishedDate": "1734556508",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-45338"
            ],
            "DBKey": "chainguard:CVE-2024-45338",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-45336",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r9",
            "ScoreV3": 6.1,
            "PublishedDate": "1738030528",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-45336"
            ],
            "DBKey": "chainguard:CVE-2024-45336",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-47910",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r9",
            "ScoreV3": 5.4,
            "PublishedDate": "1758575759",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-47910"
            ],
            "DBKey": "chainguard:CVE-2025-47910",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2024-51744",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.17.0-r6",
            "ScoreV3": 3.1,
            "PublishedDate": "1730758503",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-51744"
            ],
            "DBKey": "chainguard:CVE-2024-51744",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-54410",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "kubeflow-katib",
            "PackageVersion": "0.17.0-r3",
            "FixedVersion": "0.18.0-r8",
            "ScoreV3": 3.3,
            "PublishedDate": "1753884928",
            "LastModifiedDate": "1755883649",
            "CVEs": [
                "CVE-2025-54410"
            ],
            "DBKey": "chainguard:CVE-2025-54410",
            "PackageName": "kubeflow-katib"
        },
        {
            "Name": "CVE-2025-47273",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "opt/katib/cmd/suggestion/skopt/v1beta1/lib/python3.10/site-packages/setuptools-70.0.0",
            "PackageVersion": "70.0.0",
            "FixedVersion": "78.1.1",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-47273"
            ],
            "DBKey": "apps:CVE-2025-47273",
            "FileName": "opt/katib/cmd/suggestion/skopt/v1beta1/lib/python3.10/site-packages/setuptools-70.0.0",
            "PackageName": "python:setuptools"
        },
        {
            "Name": "CVE-2025-4565",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "opt/katib/cmd/suggestion/skopt/v1beta1/lib/python3.10/site-packages/protobuf-5.27.3",
            "PackageVersion": "5.27.3",
            "FixedVersion": "4.25.8;5.29.5;6.31.1",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-4565"
            ],
            "DBKey": "apps:CVE-2025-4565",
            "FileName": "opt/katib/cmd/suggestion/skopt/v1beta1/lib/python3.10/site-packages/protobuf-5.27.3",
            "PackageName": "python:protobuf"
        },
        {
            "Name": "CVE-2024-27281",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/lib/ruby/gems/3.2.0/specifications/default/rdoc-6.5.1.1",
            "PackageVersion": "6.5.1.1",
            "FixedVersion": "\u003e=6.3.4.1,6.3; OR \u003e=6.4.1.1,6.4",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-27281"
            ],
            "DBKey": "apps:CVE-2024-27281",
            "FileName": "usr/lib/ruby/gems/3.2.0/specifications/default/rdoc-6.5.1.1",
            "PackageName": "ruby:rdoc"
        }
    ],
}

Installed package:

o: kubeflow-katib
v: v0.17.0-r3

What NeuVector does:

• Reads lib/apk/db/installed and uses the o: (origin) field to look up CVEs in the wolfi feed.
• Finds 37 OS CVEs attributed to kubeflow-katib — many are Go library CVEs: CVE-2024-45337 (golang.org/x/crypto), CVE-2024-34155/56/58 (Go stdlib), etc.
• Finds 3 App CVEs from genuinely installed packages: python:setuptools 70.0.0, python:protobuf 5.27.3, ruby:rdoc 6.5.1.1.

What NeuVector does NOT do:
NeuVector's IsAppsPkgFile filter correctly rejects package-lock.json, requirements.txt, and Gemfile.lock. None of the 40 CVEs come from lock files — they come from the wolfi APK feed attributing all kubeflow-katib source package CVEs (including those derived from go.sum) to every sub-package via the o: field.

Question:
NeuVector found many kubeflow-katib CVEs under the chainguard namespace, for example:

{
    "Name": "CVE-2025-54410",
    "PackageName": "kubeflow-katib",
    "PackageVersion": "0.17.0-r3",
    "FixedVersion": "0.18.0-r8",
    "DBKey": "chainguard:CVE-2025-54410"
}

Does this indicate that the dataset is outdated, or is this expected behavior? We notice Trivy also reports 38 CVEs for this image, suggesting this may be a general scanner challenge rather than an issue specific to NeuVector.

---

Case 2: fixed-language-package-vulnerabilities — 3 CVEs (NeuVector only)

scan output (vuls only)

  "Vuls": [
        {
            "Name": "CVE-2026-34040",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "usr/bin/ko",
            "PackageVersion": "28.5.2+incompatible",
            "FixedVersion": "\u003e=29.3.1",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2026-34040"
            ],
            "DBKey": "apps:CVE-2026-34040",
            "FileName": "usr/bin/ko",
            "PackageName": "go:github.com/docker/docker"
        },
        {
            "Name": "CVE-2026-33997",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/bin/ko",
            "PackageVersion": "28.5.2+incompatible",
            "FixedVersion": "\u003e=29.3.1",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2026-33997"
            ],
            "DBKey": "apps:CVE-2026-33997",
            "FileName": "usr/bin/ko",
            "PackageName": "go:github.com/docker/docker"
        },
        {
            "Name": "CVE-2026-39984",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/bin/ko",
            "PackageVersion": "2.0.3",
            "FixedVersion": "2.0.6",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2026-39984"
            ],
            "DBKey": "apps:CVE-2026-39984",
            "FileName": "usr/bin/ko",
            "PackageName": "go:github.com/sigstore/timestamp-authority/v2"
        }
    ],

NeuVector's Go binary scanner reads embedded module metadata from ELF executables (equivalent to `go version -m`). It detects the following from `usr/bin/ko`:

CVE	Module	Version in binary
CVE-2026-33997	github.com/docker/docker	28.5.2+incompatible
CVE-2026-34040	github.com/docker/docker	28.5.2+incompatible
CVE-2026-39984	github.com/sigstore/timestamp-authority/v2	2.0.3

Trivy reports 0 CVEs for this image (PASS).

Question: Has ko been rebuilt with patched versions of these dependencies? Understanding this would help us know whether to trust the embedded build info or defer to advisory data.

---

Case 3: false-positive-language-package-vulnerabilities — 46 CVEs (NeuVector), 43 (Trivy)

scan output (vuls only)

    "Vuls": [
        {
            "Name": "CVE-2026-22732",
            "Score": 9,
            "Severity": "Critical",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.8.0-r5",
            "ScoreV3": 9.1,
            "PublishedDate": "1773962201",
            "LastModifiedDate": "1776313764",
            "CVEs": [
                "CVE-2026-22732"
            ],
            "DBKey": "chainguard:CVE-2026-22732",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-52046",
            "Score": 9,
            "Severity": "Critical",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.1.0-r1",
            "ScoreV3": 9.8,
            "PublishedDate": "1735121705",
            "LastModifiedDate": "1739355313",
            "CVEs": [
                "CVE-2024-52046"
            ],
            "DBKey": "chainguard:CVE-2024-52046",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-38821",
            "Score": 9,
            "Severity": "Critical",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 9.1,
            "PublishedDate": "1730099707",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-38821"
            ],
            "DBKey": "chainguard:CVE-2024-38821",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-25638",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 8.9,
            "PublishedDate": "1721657704",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-25638"
            ],
            "DBKey": "chainguard:CVE-2024-25638",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-48734",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.4.0-r1",
            "ScoreV3": 8.8,
            "PublishedDate": "1748441734",
            "LastModifiedDate": "1762201147",
            "CVEs": [
                "CVE-2025-48734"
            ],
            "DBKey": "chainguard:CVE-2025-48734",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-41249",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.5.0-r11",
            "ScoreV3": 7.5,
            "PublishedDate": "1758021330",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-41249"
            ],
            "DBKey": "chainguard:CVE-2025-41249",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2026-24308",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.8.0-r4",
            "ScoreV3": 7.5,
            "PublishedDate": "1772874967",
            "LastModifiedDate": "1773166707",
            "CVEs": [
                "CVE-2026-24308"
            ],
            "DBKey": "chainguard:CVE-2026-24308",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-58057",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.5.0-r6",
            "ScoreV3": 7.5,
            "PublishedDate": "1756982552",
            "LastModifiedDate": "1757349955",
            "CVEs": [
                "CVE-2025-58057"
            ],
            "DBKey": "chainguard:CVE-2025-58057",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-47561",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.3.0-r0",
            "ScoreV3": 7.3,
            "PublishedDate": "1727954113",
            "LastModifiedDate": "1752181441",
            "CVEs": [
                "CVE-2024-47561"
            ],
            "DBKey": "chainguard:CVE-2024-47561",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-7962",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.5.0-r2",
            "ScoreV3": 7.5,
            "PublishedDate": "1753121728",
            "LastModifiedDate": "1763059015",
            "CVEs": [
                "CVE-2025-7962"
            ],
            "DBKey": "chainguard:CVE-2025-7962",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-57699",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.3.0-r0",
            "ScoreV3": 7.5,
            "PublishedDate": "1738793733",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-57699"
            ],
            "DBKey": "chainguard:CVE-2024-57699",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-55163",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.5.0-r3",
            "ScoreV3": 7.5,
            "PublishedDate": "1755098139",
            "LastModifiedDate": "1762294590",
            "CVEs": [
                "CVE-2025-55163"
            ],
            "DBKey": "chainguard:CVE-2025-55163",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-24970",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.2.0-r2",
            "ScoreV3": 7.5,
            "PublishedDate": "1739225738",
            "LastModifiedDate": "1757092812",
            "CVEs": [
                "CVE-2025-24970"
            ],
            "DBKey": "chainguard:CVE-2025-24970",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-41248",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.5.0-r11",
            "ScoreV3": 7.5,
            "PublishedDate": "1758021330",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-41248"
            ],
            "DBKey": "chainguard:CVE-2025-41248",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2026-29062",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.8.0-r1",
            "ScoreV3": 7.5,
            "PublishedDate": "1772784986",
            "LastModifiedDate": "1773169519",
            "CVEs": [
                "CVE-2026-29062"
            ],
            "DBKey": "chainguard:CVE-2026-29062",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-5115",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.5.0-r5",
            "ScoreV3": 7.5,
            "PublishedDate": "1755720933",
            "LastModifiedDate": "1769541832",
            "CVEs": [
                "CVE-2025-5115"
            ],
            "DBKey": "chainguard:CVE-2025-5115",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2026-24281",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.8.0-r4",
            "ScoreV3": 7.4,
            "PublishedDate": "1772874967",
            "LastModifiedDate": "1773166697",
            "CVEs": [
                "CVE-2026-24281"
            ],
            "DBKey": "chainguard:CVE-2026-24281",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-36114",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 8.6,
            "PublishedDate": "1717017349",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-36114"
            ],
            "DBKey": "chainguard:CVE-2024-36114",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-58056",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.5.0-r7",
            "ScoreV3": 7.5,
            "PublishedDate": "1756934133",
            "LastModifiedDate": "1757349996",
            "CVEs": [
                "CVE-2025-58056"
            ],
            "DBKey": "chainguard:CVE-2025-58056",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-7254",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 7.5,
            "PublishedDate": "1726708510",
            "LastModifiedDate": "1758906619",
            "CVEs": [
                "CVE-2024-7254"
            ],
            "DBKey": "chainguard:CVE-2024-7254",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-27817",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.4.0-r4",
            "ScoreV3": 7.5,
            "PublishedDate": "1749543322",
            "LastModifiedDate": "1752253095",
            "CVEs": [
                "CVE-2025-27817"
            ],
            "DBKey": "chainguard:CVE-2025-27817",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-48924",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.7.1-r0",
            "ScoreV3": 5.3,
            "PublishedDate": "1752246924",
            "LastModifiedDate": "1762294577",
            "CVEs": [
                "CVE-2025-48924"
            ],
            "DBKey": "chainguard:CVE-2025-48924",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-47554",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 4.3,
            "PublishedDate": "1727957702",
            "LastModifiedDate": "1752181832",
            "CVEs": [
                "CVE-2024-47554"
            ],
            "DBKey": "chainguard:CVE-2024-47554",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-58103",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.3.0-r3",
            "ScoreV3": 5.8,
            "PublishedDate": "1742098512",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-58103"
            ],
            "DBKey": "chainguard:CVE-2024-58103",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-22227",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.4.0-r7",
            "ScoreV3": 6.1,
            "PublishedDate": "1752660927",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-22227"
            ],
            "DBKey": "chainguard:CVE-2025-22227",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-67735",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.7.2-r0",
            "ScoreV3": 6.5,
            "PublishedDate": "1765847752",
            "LastModifiedDate": "1767379823",
            "CVEs": [
                "CVE-2025-67735"
            ],
            "DBKey": "chainguard:CVE-2025-67735",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-23454",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 6.2,
            "PublishedDate": "1727252104",
            "LastModifiedDate": "1763043288",
            "CVEs": [
                "CVE-2024-23454"
            ],
            "DBKey": "chainguard:CVE-2024-23454",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-53864",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.4.0-r6",
            "ScoreV3": 5.8,
            "PublishedDate": "1752203763",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-53864"
            ],
            "DBKey": "chainguard:CVE-2025-53864",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-36124",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 5.3,
            "PublishedDate": "1717427709",
            "LastModifiedDate": "1741283839",
            "CVEs": [
                "CVE-2024-36124"
            ],
            "DBKey": "chainguard:CVE-2024-36124",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-41234",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.4.0-r5",
            "ScoreV3": 6.5,
            "PublishedDate": "1749766521",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-41234"
            ],
            "DBKey": "chainguard:CVE-2025-41234",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-31141",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r4",
            "ScoreV3": 6.5,
            "PublishedDate": "1732007703",
            "LastModifiedDate": "1752597754",
            "CVEs": [
                "CVE-2024-31141"
            ],
            "DBKey": "chainguard:CVE-2024-31141",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-14763",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.7.2-r2",
            "ScoreV3": 5.3,
            "PublishedDate": "1766006153",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-14763"
            ],
            "DBKey": "chainguard:CVE-2025-14763",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-38809",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "1.27.0-r1",
            "ScoreV3": 5.3,
            "PublishedDate": "1727457312",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-38809"
            ],
            "DBKey": "chainguard:CVE-2024-38809",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-38808",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "1.27.0-r1",
            "ScoreV3": 4.3,
            "PublishedDate": "1724141705",
            "LastModifiedDate": "1750248628",
            "CVEs": [
                "CVE-2024-38808"
            ],
            "DBKey": "chainguard:CVE-2024-38808",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-8184",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.3.0-r0",
            "ScoreV3": 5.9,
            "PublishedDate": "1728922504",
            "LastModifiedDate": "1762201024",
            "CVEs": [
                "CVE-2024-8184"
            ],
            "DBKey": "chainguard:CVE-2024-8184",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-38820",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 3.1,
            "PublishedDate": "1729232103",
            "LastModifiedDate": "1732882507",
            "CVEs": [
                "CVE-2024-38820"
            ],
            "DBKey": "chainguard:CVE-2024-38820",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-38829",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.3.0-r0",
            "ScoreV3": 3.7,
            "PublishedDate": "1733346924",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2024-38829"
            ],
            "DBKey": "chainguard:CVE-2024-38829",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2025-22233",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.4.0-r3",
            "ScoreV3": 3.1,
            "PublishedDate": "1747426522",
            "LastModifiedDate": "1776213342",
            "CVEs": [
                "CVE-2025-22233"
            ],
            "DBKey": "chainguard:CVE-2025-22233",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2024-6763",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "apache-nifi",
            "PackageVersion": "1.27.0-r0",
            "FixedVersion": "2.0.0-r0",
            "ScoreV3": 3.7,
            "PublishedDate": "1728922504",
            "LastModifiedDate": "1752159844",
            "CVEs": [
                "CVE-2024-6763"
            ],
            "DBKey": "chainguard:CVE-2024-6763",
            "PackageName": "apache-nifi"
        },
        {
            "Name": "CVE-2016-1000027",
            "Score": 7.5,
            "Severity": "Critical",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.37.jar",
            "PackageVersion": "5.3.37",
            "FixedVersion": "6.0.0",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2016-1000027"
            ],
            "DBKey": "apps:CVE-2016-1000027",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.37.jar",
            "PackageName": "jar:spring-web"
        },
        {
            "Name": "CVE-2025-7962",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/jakarta.mail-1.6.7.jar",
            "PackageVersion": "1.6.7",
            "FixedVersion": "1.6.8;2.0.2",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-7962"
            ],
            "DBKey": "apps:CVE-2025-7962",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/jakarta.mail-1.6.7.jar",
            "PackageName": "com.sun.mail:jakarta.mail"
        },
        {
            "Name": "CVE-2025-41249",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/spring-core-5.3.37.jar",
            "PackageVersion": "5.3.37",
            "FixedVersion": "6.2.11",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-41249"
            ],
            "DBKey": "apps:CVE-2025-41249",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/spring-core-5.3.37.jar",
            "PackageName": "jar:spring-core"
        },
        {
            "Name": "CVE-2024-57699",
            "Score": 7,
            "Severity": "High",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/json-smart-2.5.1.jar",
            "PackageVersion": "2.5.1",
            "FixedVersion": "2.5.2",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-57699"
            ],
            "DBKey": "apps:CVE-2024-57699",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/json-smart-2.5.1.jar",
            "PackageName": "net.minidev:json-smart"
        },
        {
            "Name": "CVE-2024-12798",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.13;1.3.15",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-12798"
            ],
            "DBKey": "apps:CVE-2024-12798",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2025-11226",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.19;1.3.16",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-11226"
            ],
            "DBKey": "apps:CVE-2025-11226",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2025-11226",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.19;1.3.16",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-11226"
            ],
            "DBKey": "apps:CVE-2025-11226",
            "FileName": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2024-12798",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.13;1.3.15",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-12798"
            ],
            "DBKey": "apps:CVE-2024-12798",
            "FileName": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2024-35255",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/azure-identity-1.11.2.jar",
            "PackageVersion": "1.11.2",
            "FixedVersion": "1.12.2",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-35255"
            ],
            "DBKey": "apps:CVE-2024-35255",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/azure-identity-1.11.2.jar",
            "PackageName": "com.azure:azure-identity"
        },
        {
            "Name": "GHSA-72hv-8253-57qq",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/jackson-core-2.17.1.jar",
            "PackageVersion": "2.17.1",
            "FixedVersion": "2.18.6;2.21.1",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "DBKey": "apps:GHSA-72hv-8253-57qq",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/jackson-core-2.17.1.jar",
            "PackageName": "com.fasterxml.jackson.core:jackson-core"
        },
        {
            "Name": "CVE-2025-53864",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/nimbus-jose-jwt-9.37.3.jar",
            "PackageVersion": "9.37.3",
            "FixedVersion": "9.37.4;10.0.2",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-53864"
            ],
            "DBKey": "apps:CVE-2025-53864",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/nimbus-jose-jwt-9.37.3.jar",
            "PackageName": "com.nimbusds:nimbus-jose-jwt"
        },
        {
            "Name": "CVE-2024-38820",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/spring-context-5.3.37.jar",
            "PackageVersion": "5.3.37",
            "FixedVersion": "6.1.14",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-38820"
            ],
            "DBKey": "apps:CVE-2024-38820",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/spring-context-5.3.37.jar",
            "PackageName": "jar:spring-context"
        },
        {
            "Name": "CVE-2024-38808",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/spring-expression-5.3.37.jar",
            "PackageVersion": "5.3.37",
            "FixedVersion": "5.3.39",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-38808"
            ],
            "DBKey": "apps:CVE-2024-38808",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/spring-expression-5.3.37.jar",
            "PackageName": "jar:spring-expression"
        },
        {
            "Name": "CVE-2024-38809",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.37.jar",
            "PackageVersion": "5.3.37",
            "FixedVersion": "5.3.38;6.0.23;6.1.12",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-38809"
            ],
            "DBKey": "apps:CVE-2024-38809",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.37.jar",
            "PackageName": "jar:spring-web"
        },
        {
            "Name": "CVE-2024-38820",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.37.jar",
            "PackageVersion": "5.3.37",
            "FixedVersion": "6.1.14",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-38820"
            ],
            "DBKey": "apps:CVE-2024-38820",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.37.jar",
            "PackageName": "jar:spring-web"
        },
        {
            "Name": "CVE-2025-48924",
            "Score": 4,
            "Severity": "Medium",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/commons-lang3-3.14.0.jar",
            "PackageVersion": "3.14.0",
            "FixedVersion": "3.18.0",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-48924"
            ],
            "DBKey": "apps:CVE-2025-48924",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/commons-lang3-3.14.0.jar",
            "PackageName": "org.apache.commons:commons-lang3"
        },
        {
            "Name": "CVE-2024-12801",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.13;1.3.15",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-12801"
            ],
            "DBKey": "apps:CVE-2024-12801",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2024-12801",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.13;1.3.15",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2024-12801"
            ],
            "DBKey": "apps:CVE-2024-12801",
            "FileName": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2026-1225",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.25",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2026-1225"
            ],
            "DBKey": "apps:CVE-2026-1225",
            "FileName": "usr/share/nifi/nifi-current/lib/bootstrap/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2026-1225",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageVersion": "1.3.14",
            "FixedVersion": "1.5.25",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2026-1225"
            ],
            "DBKey": "apps:CVE-2026-1225",
            "FileName": "usr/share/nifi/nifi-current/lib/logback-core-1.3.14.jar",
            "PackageName": "ch.qos.logback:logback-core"
        },
        {
            "Name": "CVE-2025-22233",
            "Score": 1,
            "Severity": "Low",
            "PackageNameDeprecated": "usr/share/nifi/nifi-current/lib/properties/spring-context-5.3.37.jar",
            "PackageVersion": "5.3.37",
            "FixedVersion": "6.2.7;6.1.20",
            "PublishedDate": "-62135596800",
            "LastModifiedDate": "-62135596800",
            "CVEs": [
                "CVE-2025-22233"
            ],
            "DBKey": "apps:CVE-2025-22233",
            "FileName": "usr/share/nifi/nifi-current/lib/properties/spring-context-5.3.37.jar",
            "PackageName": "jar:spring-context"
        }
    ],

Both scanners fail this test. NeuVector additionally reports 3 CVEs that Trivy does not:

CVE	Package	Version	Path
CVE-2016-1000027	spring-web	5.3.37	usr/share/nifi/nifi-current/lib/properties/spring-web-5.3.37.jar
CVE-2024-35255	azure-identity	1.11.2	same NiFi lib dir
GHSA-72hv-8253-57qq	jackson-core	2.17.1	same NiFi lib dir

All CVEs (both NeuVector and Trivy) come from genuinely installed JAR files under usr/share/nifi/nifi-current/lib/.

Question: Are there Chainguard advisories that disclaim these specific JAR CVEs as not-affected for this NiFi image? If so, what format are they published in, and is there a machine-readable feed that scanners can consume to apply these overrides?

We also noticed that NeuVector found many apache-nifi CVEs under the chainguard namespace, for example:

{
    "Name": "CVE-2026-22732",
    "PackageName": "apache-nifi",
    "PackageVersion": "1.27.0-r0",
    "FixedVersion": "2.8.0-r5",
    "DBKey": "chainguard:CVE-2026-22732"
}

Are these OS-level advisories expected to be surfaced, or should they also be disclaimed as not-affected?

We're happy to share full JSON scan output if helpful.

[tazinprogga]

Hi @pohanhuang which of our advisory feed are you ingesting for the scans? Secdb (which is deprecated) or the OSV feed? details here: https://github.com/chainguard-dev/vulnerability-scanner-support/blob/main/docs/foundational_concepts.md#security-feeds

[xnox]

@pohanhuang for go vulnerabilities - do you use symbol level metadata for vulnerabilities, or only package level?

At chainguard go binaries are built with symbol metadata preserved, and expectation for scanners to illiminate false positive CVE detection when affected symbol is not used. If such capability does not exist in the scanner, one must trust the false positive data in the feed (osv or secdb).

For more information see govulchecker in binary mode, as well as my presentation at Fosdem https://archive.fosdem.org/2025/schedule/event/fosdem-2025-4406-build-better-go-release-binaries/ in the slides there is example of a fixed project and tag, building with symbols one should automatically detect and ignore false positive CVEs - unused symbols that are vulnerable.

This capability is known to exist in govulcheck and syft/grype. Or can be achieved by trusting our false positive determination in the feeds for scanners that do not yet have capability to parse symbol tables.

[xnox]

About lockfile scanning - I am debating about this. Lockfile scanning can be very powerful, and instead of being spicy about it I am trying to work towards shipping no stray lockfiles; or ship lockfiles that accurately match the runtime code.

We had similar issues with secrets scanning when certain projects would ship unused test keys in vendored testsuites and docs. It was easier to patch them out.

We are not quite there yet, but analysis is shows that it is actually a very small amount of stray lockfiles that we ship today and we should just eliminate; and this remove this test case - or even potentially invert and advocate to enable lockfile scanning in containers as at times we have to ship lockfile as the only metadata format (for example haskell vendored libraries).

[pohanhuang]

@tazinprogga Currently using Secdb, Is there a way to get all of the feeds like a zip at once? which is way more easier on the integration side.

@xnox Thanks for your suggestion, then I will work on the golang part, and let my team member aware the there should be some cves in false-positives-from-lock-files.

What do you think?

[xnox]

@tazinprogga Currently using Secdb, Is there a way to get all of the feeds like a zip at once? which is way more easier on the integration side.

secdb is a single file for all products if one uses the chainguard json.

OSV standard is preferred if you can - that is published as a tree of json files, as per the OSV spec.

@xnox Thanks for your suggestion, then I will work on the golang part, and let my team member aware the there should be some cves in false-positives-from-lock-files.

From symbols and go buildinfo!

What do you think?

[pohanhuang]

@xnox I'll take care of the Golang side using buildinfo and symbols to reduce false positives.

For Java — the CVEs we found all come from genuinely installed JARs. Are these expected to be resolved via NOT_AFFECTED advisories in the feed, rather than being actual false positives?

[pohanhuang]

@xnox I also did the test on grype, and this is what I get

grype ghcr.io/chainguard-images/scanner-test:fixed-language-package-vulnerabilities-wolfi
 ✔ Vulnerability DB                [updated]  
 ✔ Loaded image                                      ghcr.io/chainguard-images/scanner-test:fixed-language-package-vulnerabilities-wolfi 
 ✔ Parsed image                                                  sha256:e832d6a414eda638ac9ca8686dd7b0826efd0b36573bbe2866a75ade400e60de 
 ✔ Cataloged contents                                                   2fca4fa01685da507f64bd043085779b476967fd97cb318e06d9d5cfcab49a23 
   ├── ✔ Packages                        [157 packages]  
   ├── ✔ Executables                     [1 executables]  
   ├── ✔ File digests                    [19 files]  
   └── ✔ File metadata                   [19 locations]  
 ✔ Scanned for vulnerabilities     [3 vulnerability matches]  
   ├── by severity: 0 critical, 1 high, 2 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 2 not-fixed, 0 ignored 
NAME                                        INSTALLED             FIXED IN  TYPE       VULNERABILITY        SEVERITY  EPSS          RISK   
github.com/docker/docker                    v28.5.2+incompatible            go-module  GHSA-pxq6-2prw-chj9  Medium    < 0.1% (3rd)  < 0.1  
github.com/docker/docker                    v28.5.2+incompatible            go-module  GHSA-x744-4wpc-v9h2  High      < 0.1% (0th)  < 0.1  
github.com/sigstore/timestamp-authority/v2  v2.0.3                2.0.6     go-module  GHSA-xm5m-wgh2-rrg3  Medium    < 0.1% (0th)  < 0.1