PavelJiranek
commented
6 months ago ^^ The same goes for alpine-3.19.
Closed sanketmagar2001 closed 4 months ago
PavelJiranek
commented
6 months ago ^^ The same goes for alpine-3.19.
DubLDub
commented
6 months ago I am running into this issue as well with Twistlock flagging OpenSSL on Alpine with CVE-2019-0190.
Looking at the CVE, it looks like it applies to Apache HTTP Server version 2.4.37 with any version of OpenSSL 1.1.1 or later.
Would that make it a false positive to be flagging any version of OpenSSL, especially if Apache HTTP server isn't even installed?
mariozelaschi
commented
5 months ago I too have the same problem with Prisma Cloud reporting the vulnerability and confirm that it occurs with the base Alpine Docker image without any changes to the Dockerfile (so no Apache installed). I wrote an email to Alpine support a few weeks ago to report this issue, but didn't have any feedback.
Pikabanga
commented
5 months ago I agree with the others that this sounds like a false positive that needs to be fixed somehow.
Side note: I get the same CVE detected in our alpine image with Prisma Cloud. However, Trivy (another image scanning tool) does not detect this.
Pocafeina
commented
5 months ago Hi is this related with the vulnerability flagged here? https://hub.docker.com/layers/library/golang/1.20-alpine3.19/images/sha256-c479199e85119eb4a17ca80ec08824b97d0420dfb31a03a0c496c85a296f9341?context=explore
Is there any fix that I've not seen?
mariozelaschi
commented
5 months ago Hi is this related with the vulnerability flagged here? https://hub.docker.com/layers/library/golang/1.20-alpine3.19/images/sha256-c479199e85119eb4a17ca80ec08824b97d0420dfb31a03a0c496c85a296f9341?context=explore
Is there any fix that I've not seen?
Not really, it's a completely different CVE.
Pocafeina
commented
5 months ago Then shall we open a new issue?
parakh30
commented
5 months ago Do we have a fix for this?
Pikabanga
commented
5 months ago 
mariozelaschi
commented
5 months ago Today I checked back the Prisma Cloud report, and it seems that the false positive is resolved and does not appear anymore :)
Pikabanga
commented
5 months ago Today I checked back the Prisma Cloud report, and it seems that the false positive is resolved and does not appear anymore :)
That's interesting. For us it still shows. Is your Prisma Cloud instance on premises or are you perhaps using a SaaS solution? We are on prem.
mariozelaschi
commented
5 months ago I don't know for sure since it is in the client's infrastructure: the address is an internal one, but they could use a proxy :(
ncopa
commented
4 months ago Alpine docker image does not include mod_ssl so there is nothing for us to fix.
Please use a better scanner.
CVE-2019-0190 : https://nvd.nist.gov/vuln/detail/CVE-2019-0190