Open bap2000 opened 4 years ago
I am seeing a similar issue with the following: https://nvd.nist.gov/vuln/detail/CVE-2018-0732 - updated OpenSSL to version 1.1.1d but vulnerability still appears https://nvd.nist.gov/vuln/detail/CVE-2018-1000021 - updated Git to version 2.25.0 but vulnerability still appears https://nvd.nist.gov/vuln/detail/CVE-2017-17522 - updated Python3 to version 3.7.4 but vulnerability still appears
I am running the scanner on Maven images from Docker Hub, which are running Debian. I'm using the following Dockerfile:
FROM maven:3-jdk-11
USER 0
RUN echo "deb http://http.us.debian.org/debian testing main" \
>> /etc/apt/sources.list
RUN apt-get update
RUN apt-get -y install git
git
can be replaced with openssl
or python3
and the same issue can be observed.
I have to add the testing apt repository to get recent enough packages for these CVEs.
Anyone have any joy with this? I just reported something similar: https://github.com/aquasecurity/microscanner/issues/47
As described here libtasn1-6 4.13-3 in buster is vulnerable
Install fixed version from bullseye as below
Microscanner lists the newer fixed version in the report, but still marks it as vulnerable