AWS have identified an issue with Amazon ECR basic scanning when performing scans on Alpine 3.13 through Alpine 3.16 based container images. ECR basic scanning incorrectly discovers and reports a LOW severity scan finding called CVE-2020-28928 , even though Amazon ECR enhanced scanning with Amazon inspector is not affected by the issue.
This false positive scan finding occurs because the open-source Clair scan engine utilized by ECR for basic scanning incorrectly parses the package versions. We have modified ECR’s basic scanning engine so that it will now interpret package versions accurately to suppress incorrect reporting of the CVE-2020-28928 vulnerability.
This change will be effective starting June 22, 2022. You do not need to take any action. If you have any questions or concerns, please reach out to AWS Support.