Known vulnerabilities not in Chainguard / Wolfi tracker?

Looking at the structure of https://packages.wolfi.dev/os/security.json or chainguard security.json it seems that CVEs are only published for versions where there is a fix available.

Example: Chainguard Images - Advisories - CVE-2023-29406 shows that go-1.21 package is vulnerable. but the security.json consumed by grype doesn’t reflect this.

Is my understanding correct that grype won’t reflect these CVEs? This also holds true for when status is one of Under investigation, Pending upstream fix or Fix not planned as seen on chainguard advisories.

@willmurphy @kzantow ?

Hi @ishan! Great question!

For distros that use APK packages (Alpine, Wolfi, Chainguard), we search NVD’s CPE data for vulnerabilities, and then use the secdb data to rule out vulnerabilities that have been fixed. You can see that code here: grype/grype/db/v5/matcher/apk/matcher.go at 66197338303a17cf6ba80d71a2c1d952e06ec68d · anchore/grype · GitHub

Additionally, for package types that are covered by GitHub Security Advisories (for example, if the APK package includes a Ruby gem or Python package), Grype will search GitHub security advisory data for vulnerabilities about those packages.

Does that answer your question?