Incorrect version in secfixes of openjdk11 causes vulnerability scanners to miss vulnerable versions of OpenJDK
When scanning a Docker image, based on Alpine 3.17 with openjdk 11.0.18 installed, using Grype (https://github.com/anchore/grype), I noticed that it did not detect a JVM vulnerability (CVE-2023-21930) that is only fixed in 11.0.19.
I raised this as a Grype issue (https://github.com/anchore/grype/issues/1292). It was found that this was likely caused by an incorrect fixed version in this file on line 78:
https://gitlab.alpinelinux.org/alpine/aports/-/blame/master/community/openjdk11/APKBUILD#L78
That is: this line states that CVE-2023-21930, together with several other CVE's, has been fixed in version 1.0.19_p7-r0
instead of 11.0.19_p7-r0
.
Apparently this file is used as a source for the Grype vulnerability DB (possibly also for other scanners), causing them to not detect any vulnerabilities fixed in that version.