Hey Eduardo, This is the Trivy tool: https://github.com/aquasecurity/trivy. It's used to scan containers for CVEs and to reproduce you can install trivy and just run "trivy -quiet ubuntu:18.04" to see the CVE flagged.
I think what is happening is that trivy scans installed packages on the system (returns libidn2-0) and then compares it to the CVE page which in this case shows as "DNE" and thus is flagged as a valid vulnerability. Do you think this sounds correct? If so, I will file the bug in relevant upstream projects. Srdjan -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1855768 Title: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1855768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs