Hey Teppei, Great to hear that! After deeper looking over my logs and console buffer, I think this was a combination of a user error on my part and a UX problem in Trivy caching.
What I think might have happened: - I scanned `ubuntu:18.04` tag at some point before the libidn2 fix went in and Trivy showed a vulnerability as "valid" correctly. - At some point I must have pulled the new `ubuntu:18.04` tag (I'm guessing). - I went into the container to see what `libidn2-0` version I was running and it returned a version number that I correlated to a fixed version according to USN link. - Re-running trivy did not update the results nor tell me that the original result will be perma-cached so I posited that Trivy or the data it was pulling was at fault. - I then went down the rabbit hole of how Trivy pulls fix data that lead me to creating this bug report. Thanks both for looking into this though - sorry for the extra noise that wasn't needed! Eduardo, feel free to close this issue as invalid! Srdjan -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1855768 Title: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1855768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs