-
Notifications
You must be signed in to change notification settings - Fork 107
CVE-2018-1000654 is reporting as fail when fix has been installed #47
Comments
@ocofaigh MicroScanner detect a vulnerability based on security advisories from Debian. In this case, Debian says this vulnerability is not fixed yet. It means it can't be addressed even if you install the newest version via apt-get.
If you install the patched binary yourself, MicroScanner can't know it. |
Thanks @knqyf263 for the comment. Can you confirm if Aqua is using CVSS version 2.0 or 3.x ? CVE-2018-1000654 has been open since 2018 - if it really was a high risk, wouldn't there be a fix already? |
I think they use CVSS v2 because v3 often shows a much higher score than v2. If MicroScanner adopts v3, the opposite situation will happen. v2 says LOW, while v3 says HIGH. |
CVE-2018-1000654 is not flagged with IBM Cloud Vulnerability Advisor (https://cloud.ibm.com/docs/services/Registry?topic=va-va_index), which is what I have been using to date to scan our images. I can't move to Aqua scanner if its suddenly telling me there is a high vulnerability from 2018 that is not yet fixed :/ |
MicroScanner doesn't have the feature to filter unfixed vulnerabilities. If you need it, you can filter them by |
Dockerfile:
Output snippet shows the version before and after the package has been updated:
As you can see version
libtasn1-6 4.16.0-2
is now installed.However, the scan report detects this:
The text was updated successfully, but these errors were encountered: