Open juls858 opened 2 years ago
Copied from here
PrismaScan: https://vscanapidoc.redlock.io
Our company uses PrismaScan to scan container images for vulnerabilities.
The backports test module contains private keys which are causing this alert.
{ "compliances": [ { "id": 425, "title": "Private keys stored in image", "severity": "high", "cause": "Found: /opt/conda/lib/python3.9/site-packages/future/backports/test/badcert.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/badkey.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/keycert.passwd.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/keycert.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/keycert2.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/ssl_key.passwd.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/ssl_key.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/badcert.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/badkey.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/keycert.passwd.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/keycert.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/keycert2.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/ssl_key.passwd.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/ssl_key.pem" } ] }
No security alert should be flagged as these are tests or test distributed code should not include private keys.
Create container image with Minconda. I am using this image in DockerHub: continuumio/miniconda3 Run PrismaScan
Docker Image: continuumio/miniconda3:4.9.2-alpine
conda info
conda list --show-channel-urls
Actual Behavior
Copied from here
PrismaScan: https://vscanapidoc.redlock.io
Our company uses PrismaScan to scan container images for vulnerabilities.
The backports test module contains private keys which are causing this alert.
Expected Behavior
No security alert should be flagged as these are tests or test distributed code should not include private keys.
Steps to Reproduce
Create container image with Minconda. I am using this image in DockerHub: continuumio/miniconda3 Run PrismaScan
Anaconda or Miniconda version:
Operating System:
Docker Image: continuumio/miniconda3:4.9.2-alpine
conda info
conda list --show-channel-urls