False positives CVE-2018-13661, CVE-2020-36533, CVE-2020-36532 Klapp App matching npm app package

[fouadh]

What happened:
We have app in our dependencies. When scanning our repository we get false positive on Klapp App mobile application.

NAME         INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY 
app          0.1.0                npm   CVE-2018-13661       High      
app          0.1.0                npm   CVE-2020-36533       Critical  
app          0.1.0                npm   CVE-2020-36532       Medium    

What you expected to happen:
I expect npm app package not to match CVEs against "Klapp" application.

How to reproduce it (as minimally and precisely as possible):

mkdir sandbox
cd sandbox
npm init
npm install app
grype dir:.

Anything else we need to know?:

Environment:

• Output of grype version:

Application:          grype
Version:              0.50.1
Syft Version:         v0.56.0
BuildDate:            2022-09-13T18:32:52Z
GitCommit:            403a535321c20565676dc633344e2bf8881cee29
GitDescription:       v0.50.1
Platform:             darwin/amd64
GoVersion:            go1.18.5
Compiler:             gc
Supported DB Schema:  4

• OS (e.g: cat /etc/os-release or similar):

System Software Overview:
      System Version: macOS 12.4 (21F79)
      Kernel Version: Darwin 21.5.0
      Boot Volume: Macintosh HD

[tgerla]

Thank you for the report and sorry for the long delay replying! I believe that this false positive no longer occurs. I'm going to go ahead and close this issue but please feel free to re-open if you are still experiencing this. Thanks!