FinVamp1
commented
3 weeks ago • From what we have concluded this is a false positive detection in the Debian images. Unfortunately there's a ton of Debian based container images that will get flagged, Debian is a very popular base image. • The source code of that particular version of zlib has a vulnerability, but the vulnerable part isn't in the Debian package. The Debian binary for zlib doesn't contain the vulnerable code.
This reference link discusses it in more detail: ZLib Issue Discussion
Hi, we are getting this when scanning with snyk
✗ Critical severity vulnerability found in zlib/zlib1g Description: Integer Overflow or Wraparound Info: https://security.snyk.io/vuln/SNYK-DEBIAN11-ZLIB-6008961 Introduced through: zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2 From: zlib/zlib1g@1:1.2.11.dfsg-2+deb11u2 Image layer: Introduced by your base image (mcr.microsoft.com/azure-functions/dotnet:4-slim)