Closed wsun4ipipeline closed 6 years ago
cc @MichaelSimons ideas?
and I tried scan 2.0.4-stretch too, it also has 27 vulnerable. `ADD file:eb2519421c97...4d2ddb7de69e52a in / Compressed size: 43.0MB 13 vulnerable components
/bin/sh -c apt-get up... /var/lib/apt/lists/*Compressed size: 21.8MB 13 vulnerable components
/bin/sh -c for versio...tore.tar.gz; doneCompressed size: 32.8MB 1 vulnerable component `
if those unix componets is not used by asp.net core framework, Could you build a 'clean version ' by removing them, and let the end user installed in their docker file if they need them.
@wsun4ipipeline - would you move this issue to the dotnet/dotnet-docker repo? The vulnerabilities reside in the base layers of the aspnetcore images - e.g. microsoft/dotnet and the base OS.
This issue was moved to dotnet/dotnet-docker#353
Steps to reproduce the issue
1.push the docker image microsoft/aspnetcore:2.0.4-jessie to hub.docker 2.check the tag tap for security scan result after couple hours when the result available
Expected behavior
no critical vulnerable
Actual behavior
20 of 239 components are vulnerable
Output of docker hub security scan