Possible Vulnerability Count Bug for Anchore
Good people: We have created a tool that auto removes vulnerabilities from containers and are preparing for a meeting with Airforce leadership next week so wanted to understand how your pipelines were configured, the tools used, and the basic workflows.
We noticed that when you take an image from Ironbank and scan it using Anchore's Open-Source version you get a much higher vulnerability count that what is reported on the Ironbank website (for Anchore). It is the same tool (Anchore) so one would expect the same result or close results. For NGINX for example it is 108 Vulnerabilities using Anchore Open Source Tool vs 36 reported for Anchore on the IronBank Website, which is a material difference. You can see the attached screenshots below.
Further, when you scan the same Ironbank image using other scanners (like AcquaSecurity and ours(RapidFort)) you get similarly different results: 114 vs 36. So it seems that Ironbank maybe under-reporting vulnerabilities. Or there is a different report to look at. Or at least this is what it looks like at a high level.
We would appreciate any input or help. Thank you.
Is this a known issue? Does anybody know why the Anchore Vulnerability reports on Ironbank appear off, or are we missing something and should be looking in another place and using other containers.
Any help provided would be significantly appreciated.
If anybody knows who implemented this we would be happy to help troubleshoot and possibly fix.