Report that a vulnerability exists in the wrong package

[usiusi360]

Environment

Vuls

Hash : vuls v0.3.0 bdf6efe

OS

• Target Server: CentOS Linux release 7.3.1611 (Core)
• Vuls Server: CentOS Linux release 7.3.1611 (Core)

Go

• Go version: go version go1.7.4 linux/amd64

Current Output

The content of CVE-ID is a vulnerability related to BIND.
However, the affected package is bash.
And the contents of bind are mixed in changelog.

Addition Details

When two or more packages are the same changelog, the format of the output is changed.

• Previous output

ChangeLog for: coreutils-8.4-43.el6.x86_64, coreutils-libs-8.4-43.el6.x86_64
* Wed Feb 10 21:00:00 2016 Ondrej Vasik <ovasik@redhat.com> - 8.4-43
- sed should actually be /bin/sed (related #1222140)
* Wed Jan  6 21:00:00 2016 Ondrej Vasik <ovasik@redhat.com> - 8.4-41
- colorls.sh,colorls.csh - call utilities with complete path (#1222140)
- mkdir, mkfifo, mknod - respect default umask/acls when
  COREUTILS_CHILD_DEFAULT_ACLS envvar is set (to match rhel 7 behaviour,

• Current output

ChangeLog for: 1:openssl-1.0.1e-60.el7_3.1.x86_64,
             : 1:openssl-libs-1.0.1e-60.el7_3.1.x86_64
* Mon Feb  6 21:00:00 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-60.1
- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher
- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts

[kotakanbe]

Thanks for reporting.
Do you scan as local scan mode or remote scan mode?

[usiusi360]

It occurs only when scanning local scans and docker containers.

[kotakanbe]

This issue has been fixed in v4.0.0.
If you are still in trouble, please reopen the issue.