-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vulnerabilities in early layer get flagged even through later layer fixes them #144
Comments
I can confirm this. Currently there is a Vulnerabilty in systemd in the debian:9 image, howerver I do an apt-get upgrade in my images which upgrades to a fixed version. Still klar reports the error in the base layer. |
Same problem here, for glibc and systemd |
gonfva-bcl
added a commit
to gonfva-bcl/klar
that referenced
this issue
Jan 14, 2020
Underlying layers may have a vulnerability that is fixed in the top layers. With this code, we introduce a new variable that allows to only analyse the last layer
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The image
debian:stretch-slim
from Docker Hub, as of now, has a vulnerable glibc version:My own image is based on that, but I do
apt update
as part of the image build process, so the final image has the fixed version:However, klar still reports glibc as being vulnerable against the same CVEs. I checked with mitmproxy: klar uploads all layers of the image, but then only asks for the vulnerabilities of the first layer and stops there (presumably because it found vulnerabilities).
I'm not entirely sure if I'm holding something wrong here, because it doesn't make sense to me that Klar looks for vulnerabilities in the base layer. I'm not running the base layer, I'm running the entire image only.
The text was updated successfully, but these errors were encountered: