Open ocofaigh opened 4 years ago
@ocofaigh MicroScanner detect a vulnerability based on security advisories from Debian. In this case, Debian says this vulnerability is not fixed yet. https://security-tracker.debian.org/tracker/CVE-2018-1000654
It means it can't be addressed even if you install the newest version via apt-get.
$ apt-get install libtasn1-6
...
libtasn1-6 is already the newest version (4.13-3).
...
If you install the patched binary yourself, MicroScanner can't know it.
Thanks @knqyf263 for the comment. Can you confirm if Aqua is using CVSS version 2.0 or 3.x ?
I see this vulnerability is flagged as 5.5 MEDIUM
in v3.x, but 7.1 HIGH
in v2.0.
Is there any way to tell Aqua to use version 3.x?
CVE-2018-1000654 has been open since 2018 - if it really was a high risk, wouldn't there be a fix already?
I think they use CVSS v2 because v3 often shows a much higher score than v2. If MicroScanner adopts v3, the opposite situation will happen. v2 says LOW, while v3 says HIGH. I feel it is intended. Also, you're right. It should have been already fixed if it is a high risk.
CVE-2018-1000654 is not flagged with IBM Cloud Vulnerability Advisor (https://cloud.ibm.com/docs/services/Registry?topic=va-va_index), which is what I have been using to date to scan our images. I can't move to Aqua scanner if its suddenly telling me there is a high vulnerability from 2018 that is not yet fixed :/
MicroScanner doesn't have the feature to filter unfixed vulnerabilities. If you need it, you can filter them by jq
or something like that. Or, you can use https://github.com/aquasecurity/trivy as OSS scanner.
Dockerfile:
Output snippet shows the version before and after the package has been updated:
As you can see version
libtasn1-6 4.16.0-2
is now installed.However, the scan report detects this: