Addressing False Positive Vulnerability Findings for Common Package Names.

• Several false positive detections observed for common packages like Alpine, the affected CVEs include CVE-2023-27482, and CVE-2022-28841
• CVE-2022-28841 is detected incorrectly for Alpine since the package bridge is common for both Alpine and Adobe Systems Incorporated
• Similarly for CVE-2023-27482, NVD and Alpine both share a package named supervisor but NVD detection points to home-assistant:supervisor, which is unrelated to Alpine

1. Alpine Linux
2. Prisma Cloud Compute

The vulnerability false positives (e.g., for packages like supervisor and bridge) are caused by a known, industry-wide challenge: package name ambiguity. This occurs when unrelated software from different ecosystems (e.g., Alpine Linux vs. Home Assistant, or Alpine Linux vs. Adobe) share an identical package name.

The core issue is that vulnerability data, such as that from the National Vulnerability Database (NVD), often lacks a specific "running-on-with" configuration. This missing data makes it difficult to programmatically differentiate which package the vulnerability applies to. As a result, a CVE intended for one vendor's product (like home-assistant:supervisor) can be incorrectly associated with another vendor's package that shares the same name.

To address this class of false positives, a future enhancement is planned to improve our matching logic. This update will allow our system to use additional contextual data to better distinguish between packages with identical names but from different publishers, significantly improving the accuracy of vulnerability reporting.