search

aquasecurity / microscanner

Scan your container images for package vulnerabilities with Aqua Security
856 stars 108 forks source link

Report mentions both patched and unpatched vulnerabilities #24

Open Overv opened 5 years ago

Overv commented 5 years ago

I'm testing MicroScanner by building from the following Dockerfile:

FROM ubuntu

RUN apt-get update && apt-get install -y nginx ca-certificates

ADD https://get.aquasec.com/microscanner /
RUN chmod +x /microscanner
RUN /microscanner <TOKEN OMITTED>

This produces a report that starts by confirming that it runs Ubuntu 18.04:

{
  "scan_started": {
    "seconds": 1553870836,
    "nanos": 325250548
  },
  "scan_duration": 1,
  "digest": "9ca10b67c8e2c94be37d79662e41690ad49e5457c2531e5e7bf7641814879bf3",
  "os": "ubuntu",
  "version": "18.04",
  ...

It correctly lists vulnerabilities like CVE-2016-2781 that have indeed not been patched yet, but it also mentions vulnerabilities like CVE-2016-3189 that have been patched a long time ago.

It doesn't seem to count these vulnerabilities in the summary at the end, but it lists them anyway. This is confusing and forces me to check each vendor page manually to see which vulnerability is relevant and which isn't. Why are these irrelevant ones listed at all?

lizrice commented 5 years ago

@ido50 please could you take a look?