False Negative: Trivy does not detect CVE-2018-11499 on node-sass

[wagde-orca]

Checklist

• [V] I've read the documentation regarding wrong detection.
• [V] I've confirmed that a security advisory in data sources was correct.
  • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

CVE-2018-11499
From NVD:
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
node-sass is a Node.js package for libsass
node-sass package versions >=4.4.0 and < 4.13.1 are vulnerable to this CVEs because it "libsass" <= 3.5.4
in node-sass 4.13.1 they upgraded libsass to 3.6.x

I believe this is a FN and the CVE should be added to the trivy DB
this is the issue in node-sass that upgraded libsass to fix the CVE
sass/node-sass#2720

trivy -v
Version: 0.25.3
Vulnerability DB:
Version: 2
UpdatedAt: 2022-07-12 06:06:06.717469085 +0000 UTC
NextUpdate: 2022-07-12 12:06:06.717468685 +0000 UTC
DownloadedAt: 2022-07-12 22:43:05.784647 +0000 UTC

[knqyf263]

You can raise an issue to GitHub.
GHSA-c87p-mhv6-fff6

Or GitLab.
https://gitlab.com/gitlab-org/advisories-community