False positive?

[kwaazaar]

I use Twistlock image vulnerability scanning and it finds a new CVE since sunday. Is this a false positive?

Vulnerabilities

Image ID CVE Package Version Severity Status CVSS

---

tomcat:9-jdk8-openjdk-slim 54b465e3c80e21ac CVE-2017-10140 db5.3 5.3.28+dfsg1-0.5 high fixed in 5.3.28-13.1 7.8

[kwaazaar]

I just noticed this CVE was previously classified by Twistlock as medium, now it's high. I'll check with them why it has changed.

[kwaazaar]

Confirmed by Twistlock the issue is in their tooling. A recent update removed this false positive