search

Secure-Compliance-Solutions-LLC / GVM-Docker

Greenbone Vulnerability Management Docker Image with OpenVAS
https://securecompliance.gitbook.io/projects/
MIT License
246 stars 91 forks source link

Trivy scan on this project image is showing critical vulnerabilities #242

Open austinsonger opened 3 years ago

austinsonger commented 3 years ago

Discussed in https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker/discussions/240

Originally posted by **MarcosSarzi-Neo** July 26, 2021 I am executing some tests using this image from docker and I am getting some critical vulnerabilities from it, where should I ask for help? ``` localhost:gvm (alpine 3.14.0) agent_1 | ============================= agent_1 | Total: 0 (HIGH: 0, CRITICAL: 0) agent_1 | agent_1 | agent_1 | usr/share/texmf-dist/scripts/latex2nemeth/latex2nemeth-v1.0.2.jar (jar) agent_1 | ======================================================================= agent_1 | Total: 2 (HIGH: 1, CRITICAL: 1) agent_1 | agent_1 | +-----------------------------------------+------------------+----------+-------------------+---------------+ agent_1 | | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | agent_1 | +-----------------------------------------+------------------+----------+-------------------+---------------+ agent_1 | | org.apache.commons:commons-collections4 | CVE-2015-7501 | CRITICAL | 4.0 | 4.1 | agent_1 | + +------------------+----------+ + + agent_1 | | | CVE-2015-6420 | HIGH | | | agent_1 | +-----------------------------------------+------------------+----------+-------------------+---------------+ agent_1 | agent_1 | usr/share/texmf-dist/scripts/texplate/texplate.jar (jar) agent_1 | ======================================================== agent_1 | Total: 1 (HIGH: 1, CRITICAL: 0) agent_1 | agent_1 | +------------------------------------------+------------------+----------+-------------------+---------------+ agent_1 | | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | agent_1 | +------------------------------------------+------------------+----------+-------------------+---------------+ agent_1 | | org.apache.velocity:velocity-engine-core | CVE-2020-13936 | HIGH | 2.2 | 2.3 | agent_1 | +------------------------------------------+------------------+----------+-------------------+---------------+ ```
MarcosSarzi-Neo commented 3 years ago

my one is showing the same.

Dexus commented 3 years ago

my one is showing the same.

this was your report in the discussion. ;)

https://git.alpinelinux.org/aports/tree/community/texmf-dist/APKBUILD there is the package and the author details.

You can open an Issue at https://gitlab.alpinelinux.org/alpine/aports/-/issues

I'm currently not on the correct system to do it, so if someone of you has time to doit feel free.

Dexus commented 3 years ago

I open the Issue: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12874

Dexus commented 3 years ago

texplate - will released in the next days to cpan.org, so we need to wait for the other distros to use the new version