Re-assess open CVEs and approve container for use (please)
Hi Platform One team,
I'm trying to use this image on Game Warden and have run into some trouble. Per https://vat.dso.mil/vat/image?imageName=opensource/ruby/ruby31&tag=3.1.2&branch=master this image is failing its ABC and ORA based upon a series of scan results related to OpenSSL 3.0.X.
The problem is that the CVEs relate to the OpenSSL system library, while the detected gem is just a wrapper for that library - and the gem is still on 3.0.0 because of its own SEMVER.
As proof that the gem is simply a wrapper, see the first line of the openssl ruby gem documentation link (https://ruby.github.io/openssl/): "[The] OpenSSL [gem] provides SSL, TLS and general purpose cryptography. It wraps the OpenSSL library."
I am not sure any other way to request those items be re-evaluated as 'false positive' CVEs other than to open this issue. Thanks in advance for your help getting this container approved.