Unexpected vulnerability detected in package(nss)

[JwishPark]

IDs

CVE-2014-3566

Description

Hello,
I scanned the vulnerability in my image(centos:7.9.2009) with Trivy.
And I found trivy detected CVE-2014-3566 in nss package.

However, when searching the NVD official link and docker hub,
CVE-2014-3566 does not exist in nss package.

If follow the PrimaryURL of the vulnerability check result,
it seems that trivy found the vulnerability based on the datasource from Vendor(Ubuntu).

I think this is wrong detection because the vulnerabilities that exist in the package may be different for each OS.
please check why trivy detected it.

Reproduction Steps

1. docker pull centos:7.9.2009
2. trivy -d image --skip-update --offline-scan centos:7.9.2009

Target

Container Image

Scanner

Vulnerability

Target OS

centos:7.9.2009

Debug Output

trivy -d image --skip-update --offline-scan centos:7.9.2009

Version

$ trivy --version
Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-12 00:26:18.957705896 +0000 UTC
  NextUpdate: 2023-10-12 06:26:18.957705396 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-31 00:54:27.316128264 +0000 UTC
  NextUpdate: 2023-06-03 00:54:27.316127764 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @JwishPark
We use RedHat advisory database for CensOS - https://aquasecurity.github.io/trivy/v0.46/docs/scanner/vulnerability/#data-sources
RedHat marks nss as vulnerable package for RHEL7 - https://access.redhat.com/security/cve/cve-2014-3566