I am using JFrog Xray to scan for security issues in my project. There is a vulnerability issue CVE-2022-29458 with high level need to resolve.
| SEVERITY | DIRECT | DIRECT | IMPACTED | IMPACTED | FIXED | TYPE | CVE |
| | PACKAGE | PACKAGE | PACKAGE | PACKAGE | VERSIONS | | |
| | | VERSION | NAME | VERSION | | | |
+----------+---------------------------+---------+---------------------------+------------------------+----------+--------+----------------+
| High | sha256__01d4e4b4f381ac5a9 | | ubuntu:jammy:libncurses6 | 6.3-2ubuntu0.1 | | Debian | CVE-2022-29458
However, the docker image is up-to-date and comes with the package 6.3-2ubuntu0.1 that should not be vulnerable according to the page https://ubuntu.com/security/notices/USN-6099-1 and http://launchpadlibrarian.net/666970387/ncurses_6.3-2_6.3-2ubuntu0.1.diff.gz
What version of Xray are you using and what is your db-sync status?
Looking in Xray Database, CVE-2022-29458 on ubuntu:jammy:ncurses has low severity and the fixed version is indeed 6.3-2ubuntu0.1. So we can suspect that either your db-sync is not updated and therefore you're getting this result or the component is somehow identified wrongly which requires more investigation.