Skip to content
This repository has been archived by the owner on Apr 28, 2021. It is now read-only.

Report mentions both patched and unpatched vulnerabilities #24

Open
Overv opened this issue Mar 29, 2019 · 1 comment
Open

Report mentions both patched and unpatched vulnerabilities #24

Overv opened this issue Mar 29, 2019 · 1 comment
Assignees
@ido50

Comments

@Overv
Copy link

Overv commented Mar 29, 2019
edited
Loading

I'm testing MicroScanner by building from the following Dockerfile:

FROM ubuntu

RUN apt-get update && apt-get install -y nginx ca-certificates

ADD https://get.aquasec.com/microscanner /
RUN chmod +x /microscanner
RUN /microscanner <TOKEN OMITTED>

This produces a report that starts by confirming that it runs Ubuntu 18.04:

{
  "scan_started": {
    "seconds": 1553870836,
    "nanos": 325250548
  },
  "scan_duration": 1,
  "digest": "9ca10b67c8e2c94be37d79662e41690ad49e5457c2531e5e7bf7641814879bf3",
  "os": "ubuntu",
  "version": "18.04",
  ...

It correctly lists vulnerabilities like CVE-2016-2781 that have indeed not been patched yet, but it also mentions vulnerabilities like CVE-2016-3189 that have been patched a long time ago.

It doesn't seem to count these vulnerabilities in the summary at the end, but it lists them anyway. This is confusing and forces me to check each vendor page manually to see which vulnerability is relevant and which isn't. Why are these irrelevant ones listed at all?
@lizrice
Copy link
Contributor

lizrice commented Mar 30, 2019

@ido50 please could you take a look?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ido50 ido50

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ido50 @Overv @lizrice