False Positive CVE-2015-4035 reported against xz-1.9.jar

[navzen2000]

Is this a request for help?:

---

Is this a BUG REPORT or a FEATURE REQUEST? (choose one):
BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable:

v1.0.1
What happened:
Anchore scan incorrectly reported CVE-2015-4035 against xz-1.9.jar
https://snyk.io/vuln/maven:org.tukaani%3Axz

This CVE is applicable for script/xzgrep

What did you expect to happen:

Any relevant log output from /var/log/anchore:

What docker images are you using:

How to reproduce the issue:

Anything else we need to know:

[navzen2000]

"vulnerabilities": [
{
"feed": "vulnerabilities",
"feed_group": "nvd",
"fix": "None",
"nvd_data": [
{
"cvss_v2": {
"base_score": 4.6,
"exploitability_score": 3.9,
"impact_score": 6.4
},
"cvss_v3": {
"base_score": 7.8,
"exploitability_score": 1.8,
"impact_score": 5.9
},
"id": "CVE-2015-4035"
}
],
"package": "xz-1.9",
"package_cpe": "None",
"package_cpe23": "cpe:2.3:a:tukaani:xz:1.9:::::::*",
"package_name": "xz",
"package_path": "xz-1.9.jar",
"package_type": "java",
"package_version": "1.9",
"severity": "High",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4035",
"vendor_data": [],
"vuln": "CVE-2015-4035",
"will_not_fix": false
}