Skip to main content
The primary goal and focus of Minimus vulnerability reports is the quality of the results. Minimus emphasizes the accuracy of its vulnerability reports over volume, following the conviction that quantity should not be the primary driver in vulnerability reporting. Given that each vulnerability scanner has its unique workings, it can seem difficult to compare results across scanning tools. Becoming familiar with scanner defaults can help demystify the results. Following is a discussion of key points to keep in mind when reviewing Minimus vulnerability reports.

How many vulnerabilities impact my image?

This depends on how you count vulnerabilities. There are different methods:
  • Unique CVEs - If a CVE affects more than one package in the image, you still count it as one vulnerability.
  • Affected packages - In this method, you count the number of packages affected by each CVE. This method is also known as counting findings or counting unique issues per dependency path.
Minimus vulnerability reports count each unique CVE once, regardless of the number of affected packages. To be clear, the image vulnerability report in Minimus will list all affected packages, it just won’t count them separately.

Which vulnerabilities are impacting my image?

This depends on how you identify vulnerabilities. There are different systems for cataloging vulnerabilities, each with their pros and cons.
  • Normalizing to CVE ID - This approach favors the CVE (Common Vulnerabilities and Exposures) database run by the MITRE Corporation. This means the report will identify vulnerabilities by their CVE ID whenever possible. The only times you might identify a vulnerability by another database, is if it was never mapped to a CVE. This method has the advantage of deduplication.
  • Original data source feed - Here vulnerabilities are identified by the original data source. For example, the Grype scanner maps language packages to a GHSA ID (GitHub Security Advisory) by default (ref).
Minimus normalizes its vulnerability reports by CVE ID. You will still see GHSA IDs when they have not yet been mapped to a CVE.

How can I be sure there are no false positives?

This depends on your tolerance for “noise”. There are competing approaches:
  • Filter out unconfirmed vulnerabilities - to minimize questionable reports
  • Report all programmatic findings - even if unconfirmed or disputed
Minimus vulnerability reports filter out vulnerabilities still under review. The Minimus advisory will show the potentially affected package and the status under review, but it will not be mapped to an image until it has been confirmed. This approach suppresses noise and avoids unnecessary strain.

How is severity assessed?

A vulnerability NVD listing may show competing severity scores. In such cases, an “operative” score must be selected. There are different approaches:
  • Preferred - This approach adopts an internal logic for ranking scores by the CVSS version used and the reputation of the reporting CNA - CVE Numbering Authority (ref). This approach favors CVSS 4 scores over CVSS 3.1 and makes use of NVD’s ranking of CNAs based on auditing results. The severity promoted by NVD as most reputable is adopted.
  • Highest severity - This approach ignores the priority of CVSS 4 over CVSS 3 and does not weigh in the ranking of the reporting CNA.
  • NVD assigned score - This approach strictly adheres to the score provided by NVD and disregards scores provided by other recognized CNAs and CISA-ADP scores. This approach may be attributed to FedRAMP’s directive to use NVD assigned CVSS scores as the “original risk rating” (FedRAMP Rev5 Vulnerability Scanning Requirements). However, this approach has not been widely adopted and has the downside of registering many vulnerabilities as having unknown severity unnecessarily.
Minimus advisories show the preferred severity as recommended by NVD. This approach has the advantage of suppressing noise, especially when the highest severity score is less trustworthy.

How many packages were scanned?

Minimus only counts OS-level packages (APK format) in its SBOM and vulnerability reports. Some scanners will show a higher package count because they include non-OS dependencies. This explains why the package count may not match between different scanner reports.

Scanning by image layers

Some scanners count the number of different layers a CVE affects. Minimus images are always built as a single layer, without a Dockerfile. Therefore, there should not be variations due to image layers.

Example

To help illustrate the issues, we will compare the Minimus vulnerability report to a Grype report for the same image: reg.mini.dev/elasticsearch:9.2.0 (performed January 2026).
Grype report for reg.mini.dev/elasticsearch:9.2.0
docker run -it reg.mini.dev/{token}/grype reg.mini.dev/{token}/elasticsearch:9.2.0
 Vulnerability DB                [updated]  
 Parsed image                    sha256:a9814***  
 Cataloged contents              2723***  
   ├── Packages                        [817 packages]  
   ├── Executables                     [293 executables]  
   ├── File metadata                   [2,390 locations]  
   └── File digests                    [2,390 files]  
 Scanned for vulnerabilities     [60 vulnerability matches]  
   ├── by severity: 1 critical, 6 high, 30 medium, 2 low, 0 negligible (21 unknown)
NAME                              INSTALLED      FIXED IN       TYPE          VULNERABILITY        SEVERITY  EPSS           RISK   
libpng                            1.6.50-r0      1.6.52-r0      apk           CVE-2025-66293       High      < 0.1% (25th)  < 0.1  
elasticsearch-9.2                 9.2.0-r0       9.2.2-r0       apk           CVE-2025-68390       Medium    0.1% (31st)    < 0.1  
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.2-r0       apk           CVE-2025-68390       Medium    0.1% (31st)    < 0.1  
log4j-core                        2.19.0         2.25.3         java-archive  GHSA-vc5p-v9hr-52mj  Medium    0.1% (30th)    < 0.1  
log4j-core                        2.25.0         2.25.3         java-archive  GHSA-vc5p-v9hr-52mj  Medium    0.1% (30th)    < 0.1  
reactor-netty-http                1.0.45         1.2.8          java-archive  GHSA-4q2v-9p7v-3v22  Medium    < 0.1% (26th)  < 0.1  
libpng                            1.6.50-r0      1.6.51-r0      apk           CVE-2025-64720       High      < 0.1% (19th)  < 0.1  
elasticsearch-9.2                 9.2.0-r0       9.2.4-r0       apk           CVE-2025-67735       Medium    < 0.1% (17th)  < 0.1  
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.4-r0       apk           CVE-2025-67735       Medium    < 0.1% (17th)  < 0.1  
netty-codec-http                  4.1.126.Final  4.1.129.Final  java-archive  GHSA-84h7-rjj3-6jx4  Medium    < 0.1% (17th)  < 0.1  
zlib                              1.3.1-r2                      apk           CVE-2026-22184       Critical  < 0.1% (11th)  < 0.1  
busybox                           1.37.0-r6                     apk           CVE-2025-60876       Medium    < 0.1% (16th)  < 0.1  
curl                              8.16.0-r0      8.18.0-r0      apk           CVE-2025-15224       Low       < 0.1% (25th)  < 0.1  
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           CVE-2025-15224       Low       < 0.1% (25th)  < 0.1  
libpng                            1.6.50-r0      1.6.51-r0      apk           CVE-2025-65018       High      < 0.1% (9th)   < 0.1  
elasticsearch-9.2                 9.2.0-r0       9.2.2-r0       apk           CVE-2025-37731       High      < 0.1% (9th)   < 0.1  
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.2-r0       apk           CVE-2025-37731       High      < 0.1% (9th)   < 0.1  
elasticsearch-9.2                 9.2.0-r0       9.2.3-r0       apk           CVE-2025-68384       Medium    < 0.1% (12th)  < 0.1  
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.3-r0       apk           CVE-2025-68384       Medium    < 0.1% (12th)  < 0.1  
curl                              8.16.0-r0      8.18.0-r0      apk           CVE-2025-14819       Medium    < 0.1% (9th)   < 0.1  
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           CVE-2025-14819       Medium    < 0.1% (9th)   < 0.1  
curl                              8.16.0-r0      8.18.0-r0      apk           CVE-2025-14524       Medium    < 0.1% (7th)   < 0.1  
curl                              8.16.0-r0      8.18.0-r0      apk           CVE-2025-15079       Medium    < 0.1% (7th)   < 0.1  
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           CVE-2025-14524       Medium    < 0.1% (7th)   < 0.1  
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           CVE-2025-15079       Medium    < 0.1% (7th)   < 0.1  
curl                              8.16.0-r0      8.18.0-r0      apk           CVE-2025-13034       Medium    < 0.1% (4th)   < 0.1  
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           CVE-2025-13034       Medium    < 0.1% (4th)   < 0.1  
glibc                             2.42-r0                       apk           CVE-2026-0861        High      < 0.1% (1st)   < 0.1  
commons-lang3                     3.9            3.18.0         java-archive  GHSA-j288-q9x7-2f5v  Medium    < 0.1% (2nd)   < 0.1  
glibc                             2.42-r0                       apk           CVE-2026-0915        Unknown   < 0.1% (3rd)   < 0.1  
libpng                            1.6.50-r0      1.6.51-r0      apk           CVE-2025-64505       Medium    < 0.1% (2nd)   < 0.1  
libpng                            1.6.50-r0      1.6.51-r0      apk           CVE-2025-64506       Medium    < 0.1% (2nd)   < 0.1  
libpng                            1.6.50-r0      1.6.54-r0      apk           CVE-2026-22801       Medium    < 0.1% (1st)   < 0.1  
libpng                            1.6.50-r0      1.6.54-r0      apk           CVE-2026-22695       Medium    < 0.1% (1st)   < 0.1  
curl                              8.16.0-r0      8.18.0-r0      apk           CVE-2025-14017       Medium    < 0.1% (0th)   < 0.1  
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           CVE-2025-14017       Medium    < 0.1% (0th)   < 0.1  
curl                              8.16.0-r0      8.18.0-r0      apk           GHSA-7q9p-cx8r-rh2q  Unknown   N/A            N/A    
curl                              8.16.0-r0      8.18.0-r0      apk           GHSA-9r76-qj98-jfhc  Unknown   N/A            N/A    
curl                              8.16.0-r0      8.18.0-r0      apk           GHSA-g897-jvjx-78vg  Unknown   N/A            N/A    
curl                              8.16.0-r0      8.18.0-r0      apk           GHSA-hccr-q52r-4w88  Unknown   N/A            N/A    
curl                              8.16.0-r0      8.18.0-r0      apk           GHSA-jh4h-2cg6-889h  Unknown   N/A            N/A    
curl                              8.16.0-r0      8.18.0-r0      apk           GHSA-vqhr-m87q-9jqh  Unknown   N/A            N/A    
elasticsearch-9.2                 9.2.0-r0       9.2.4-r0       apk           GHSA-84h7-rjj3-6jx4  Unknown   N/A            N/A    
elasticsearch-9.2                 9.2.0-r0       9.2.2-r0       apk           GHSA-gphj-4h6p-37xq  Unknown   N/A            N/A    
elasticsearch-9.2                 9.2.0-r0       9.2.2-r0       apk           GHSA-m9gh-789g-q5pv  Unknown   N/A            N/A    
elasticsearch-9.2                 9.2.0-r0       9.2.3-r0       apk           GHSA-qf7c-7r9h-mm92  Unknown   N/A            N/A    
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.4-r0       apk           GHSA-84h7-rjj3-6jx4  Unknown   N/A            N/A    
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.2-r0       apk           GHSA-gphj-4h6p-37xq  Unknown   N/A            N/A    
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.2-r0       apk           GHSA-m9gh-789g-q5pv  Unknown   N/A            N/A    
elasticsearch-9.2-oci-entrypoint  9.2.0-r0       9.2.3-r0       apk           GHSA-qf7c-7r9h-mm92  Unknown   N/A            N/A    
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           GHSA-7q9p-cx8r-rh2q  Unknown   N/A            N/A    
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           GHSA-9r76-qj98-jfhc  Unknown   N/A            N/A    
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           GHSA-g897-jvjx-78vg  Unknown   N/A            N/A    
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           GHSA-hccr-q52r-4w88  Unknown   N/A            N/A    
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           GHSA-jh4h-2cg6-889h  Unknown   N/A            N/A    
libcurl-openssl4                  8.16.0-r0      8.18.0-r0      apk           GHSA-vqhr-m87q-9jqh  Unknown   N/A            N/A

Package count

Minimus counts 71 OS-level packages in the SBOM. Grype detects hundreds more packages because it also inspects dependency manifests and compiled artifacts.

Unique vulnerabilities

The vulnerability count is vastly different. The Minimus report counts the number of unique vulnerabilities and lists all affected packages. The Grype report counts the number of affected packages as the number of vulnerabilities.

Vulnerabilities under review

Vulnerabilities under review are not listed in the Minimus vulnerability report so as to avoid false positives. The Grype scan includes any vulnerabilities that were programmatically detected even if they have not yet been vetted. For example, CVE-2026-22184 affecting zlib was listed by Grype. The Minimus report did not list the vulnerability while it was under review. Later, the Minimus security research team determined that the CVE was a false-positive and that the package was unaffected. (See the Minimus advisory for details.)

Severity

Minimus pulls the preferred severity from NVD. Grype, in turns, prefers the highest severity. For example, CVE-2026-22184 showed up as a critical vulnerability in the Grype report, but as only medium severity in the Minimus advisory. This is because the Minimus algorithm favors CVSSv4 over CVSSv3.1. CVE-2026-22184 - which also happens to be disputed - was assigned a critical severity of 9.8 in CVSSv3 but only a medium severity of 4.6 in CVSSv4. Learn more about how Minimus assesses severity in cases of conflicts

Vulnerability IDs

The Minimus report normalizes vulnerabilities by their CVE ID. In other words, where a CVE ID is available, Minimus prefers it over the GHSA ID. For example, the Grype report lists GHSA-vc5p-v9hr-52mj, while the Minimus report lists the same vulnerability as CVE-2025-68161.
Last modified on February 5, 2026