Binary scan of Corretto 11.0.20.9.1 shows clean, but libjpeg constituent shows vuln
jeremysshaw opened this issue · 1 comments
I regard this as not quite a vulnerability report, because all the information is publicly available. Hence posting here.
A BlackDuck Binary Analysis scan of Corretto 11.0.20.9.1 shows no vulnerabilities at the top level. However, the package is shown to contain a vulnerable version of libjpeg, version 6b. The latest version of libjpeg is 9e.
Is this a real issue in Corretto, or a false positive in Black Duck Binary Analysis (BDBA)?
BDBA detects libjpeg 6b in the following files:
amazon-corretto-11.0.20.9.1-linux-x64.tar.gz
amazon-corretto-11.0.20.9.1-linux-x64/lib/libjavajpeg.so
Also
amazon-corretto-11.0.20.9.1-linux-x64.tar.gz
amazon-corretto-11.0.20.9.1-linux-x64/lib/libsplashscreen.so
Thanks for any help,
jeremy.