False positives by Clair

[Bhupinder Kaur]

I know Clair flags vulnerabilities by package version comparison. I scanned one image which is having util-linux 2.20.1-5.1ubuntu20.90 package version and I know this package has CVE-2017-2616 vulnerability.

But when we scan using Clair Scanner, it is not flagged by it.

Also, it flags CVE-20140-8991 Vulnerability in the image having ubuntu 14.04 OS whereas in Ubuntu CVE tracker this vulnerability doesn't have any link with Ubuntu 14.04.

Can anyone please explain what's going on here. Are we getting false positives and false negatives?

Thanks