Describe the bug
I am switching to using a hardened Docker image for Ubuntu provided by Canonical to get rid of all the CVEs.
My image is now free of vulnerabilities apart from the two brought by doppler and detected by trivy.
To Reproduce
$ trivy --version
Version: 0.18.3
Vulnerability DB:
Type: Light
Version: 1
UpdatedAt: 2021-06-22 00:05:00.051809127 +0000 UTC
NextUpdate: 2021-06-22 06:05:00.051808727 +0000 UTC
DownloadedAt: 2021-06-22 10:08:26.510496673 +0000 UTC
$ trivy image <IMAGE_NAME>
2021-06-22T12:14:55.914+0200 INFO Detected OS: ubuntu
2021-06-22T12:14:55.914+0200 WARN This OS version is not on the EOL list: ubuntu 21.10
2021-06-22T12:14:55.914+0200 INFO Detecting Ubuntu vulnerabilities...
2021-06-22T12:14:55.915+0200 INFO Number of PL dependency files: 3
2021-06-22T12:14:55.915+0200 INFO Detecting jar vulnerabilities...
2021-06-22T12:14:55.915+0200 INFO Detecting gobinary vulnerabilities...
2021-06-22T12:14:55.915+0200 WARN This OS version is no longer supported by the distribution: ubuntu 21.10
2021-06-22T12:14:55.915+0200 WARN The vulnerability detection may be insufficient because security updates are not provided
<IMAGE_NAME>:latest (ubuntu 21.10)
===================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/bin/doppler
===============
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652 | HIGH | v0.0.0-20190530122614-20be4c3c3ed5 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted |
| | | | | | authentication request can |
| | | | | | lead to nil pointer dereference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |
+ +------------------+ + +------------------------------------+---------------------------------------+
| | CVE-2020-9283 | | | v0.0.0-20200220183623-bac4c82f6975 | golang.org/x/crypto: Processing |
| | | | | | of crafted ssh-ed25519 |
| | | | | | public keys allows for panic |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9283 |
+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
Describe the bug I am switching to using a hardened Docker image for Ubuntu provided by Canonical to get rid of all the CVEs. My image is now free of vulnerabilities apart from the two brought by
doppler
and detected by trivy.To Reproduce
Expected behavior No vulnerabilities shown.