Closed PatrickGoRaft closed 3 weeks ago
Research results @PatrickGoRaft: It looks like snyk is a strictly worse cve scanner than docker scout. Docker scout includes all the cves that snyk detects and more.
Snyk Scan:
Testing snyk-test-image:snyk-test...
✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-2511 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-6593965 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.4-r6
✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-4603 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-6928853 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.5-r0
✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-5535 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7413523 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.6-r0
✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-4741 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7413527 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.6-r0
✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-6119 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7895536 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.7-r0
✗ Medium severity vulnerability found in busybox/busybox Description: Out-of-bounds Write Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6913413 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r16
✗ Medium severity vulnerability found in busybox/busybox Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6928845 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r19
✗ Medium severity vulnerability found in busybox/busybox Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6928846 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r19
✗ Medium severity vulnerability found in busybox/busybox Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6928847 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r17
✗ Critical severity vulnerability found in expat/libexpat Description: XML External Entity (XXE) Injection Info: https://security.snyk.io/vuln/SNYK-ALPINE319-EXPAT-7908399 Introduced through: expat/libexpat@2.6.2-r0, font-dejavu/font-dejavu@2.37-r5 From: expat/libexpat@2.6.2-r0 From: font-dejavu/font-dejavu@2.37-r5 > fontconfig/fontconfig@2.14.2-r4 > expat/libexpat@2.6.2-r0 Fixed in: 2.6.3-r0
✗ Critical severity vulnerability found in expat/libexpat Description: Integer Overflow or Wraparound Info: https://security.snyk.io/vuln/SNYK-ALPINE319-EXPAT-7908400 Introduced through: expat/libexpat@2.6.2-r0, font-dejavu/font-dejavu@2.37-r5 From: expat/libexpat@2.6.2-r0 From: font-dejavu/font-dejavu@2.37-r5 > fontconfig/fontconfig@2.14.2-r4 > expat/libexpat@2.6.2-r0 Fixed in: 2.6.3-r0
✗ Critical severity vulnerability found in expat/libexpat Description: Integer Overflow or Wraparound Info: https://security.snyk.io/vuln/SNYK-ALPINE319-EXPAT-7908409 Introduced through: expat/libexpat@2.6.2-r0, font-dejavu/font-dejavu@2.37-r5 From: expat/libexpat@2.6.2-r0 From: font-dejavu/font-dejavu@2.37-r5 > fontconfig/fontconfig@2.14.2-r4 > expat/libexpat@2.6.2-r0 Fixed in: 2.6.3-r0
Organization: kjaredb96 Package manager: apk Project name: docker-image|snyk-test-image Docker image: snyk-test-image:snyk-test Platform: linux/amd64 Base image: alpine:3.19.1 Licenses: enabled
Tested 39 dependencies for known issues, found 12 issues.
Base Image Vulnerabilities Severity alpine:3.19.1 9 0 critical, 0 high, 4 medium, 5 low
Recommendations for base image upgrade:
Minor upgrades Base Image Vulnerabilities Severity alpine:3.19.4 0 0 critical, 0 high, 0 medium, 0 low
Learn more: https://docs.snyk.io/products/snyk-container/getting-around-the-snyk-container-ui/base-image-detection
Testing snyk-test-image:snyk-test...
Tested 132 dependencies for known issues, found 9 issues.
⚠ Warning! Some dependencies in this project could not be identified.
Issues with no direct upgrade or patch: ✗ Creation of Temporary File in Directory with Insecure Permissions [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-5710356] in com.google.guava:guava@31.0.1-android introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > com.google.guava:guava@31.0.1-android This issue was fixed in versions: 32.0.0-android, 32.0.0-jre ✗ Header Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEJAMES-6282851] in org.apache.james:apache-mime4j-core@0.8.9 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.apache.james:apache-mime4j-core@0.8.9 This issue was fixed in versions: 0.8.10 ✗ Open Redirect [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-6230634] in org.keycloak:keycloak-common@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-common@22.0.1 This issue was fixed in versions: 23.0.4 ✗ Path Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-6618056] in org.keycloak:keycloak-common@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-common@22.0.1 This issue was fixed in versions: 24.0.3 ✗ Missing Critical Step in Authentication [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-6616016] in org.keycloak:keycloak-server-spi-private@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-server-spi-private@22.0.1 This issue was fixed in versions: 22.0.10, 24.0.3 ✗ Cross-Site Request Forgery (CSRF) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-7247314] in org.keycloak:keycloak-server-spi-private@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-server-spi-private@22.0.1 No upgrade or patch available ✗ URL Redirection to Untrusted Site ('Open Redirect') [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-8061810] in org.keycloak:keycloak-server-spi-private@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-server-spi-private@22.0.1 This issue was fixed in versions: 22.0.13, 24.0.8, 25.0.6 ✗ Unprotected Transport of Credentials [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-7268350] in org.keycloak:keycloak-core@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-core@22.0.1 This issue was fixed in versions: 24.0.6, 25.0.1 ✗ Improper Handling of Extra Values [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-7926864] in org.keycloak:keycloak-core@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-core@22.0.1 This issue was fixed in versions: 24.0.0
Organization: kjaredb96 Package manager: maven Target file: /opt/docker/lib Project name: snyk-test-image:snyk-test:/opt/docker/lib Docker image: snyk-test-image:snyk-test Licenses: enabled
Snyk wasn’t able to auto detect the base image, use --file
option to get base image remediation advice.
Example: $ snyk container test snyk-test-image:snyk-test --file=path/to/Dockerfile
Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.
To remove these messages in the future, please run snyk config set disableSuggestions=true
Testing snyk-test-image:snyk-test...
Organization: kjaredb96 Package manager: maven Target file: /opt/java/openjdk/lib Project name: snyk-test-image:snyk-test:/opt/java/openjdk/lib Docker image: snyk-test-image:snyk-test Licenses: enabled
✔ Tested snyk-test-image:snyk-test for known issues, no vulnerable paths found.
Tested 3 projects, 2 contained vulnerable paths.
Docker Scan:
│ Analyzed Image
────────────────────┼─────────────────────────────────────
Target │ snyk-test-image:snyk-test
digest │ e895ee4e92a8
platform │ linux/amd64
vulnerabilities │ 4C 3H 13M 4L 3?
size │ 422 MB
packages │ 185
3C 0H 0M 0L expat 2.6.2-r0 pkg:apk/alpine/expat@2.6.2-r0?os_name=alpine&os_version=3.19
✗ CRITICAL CVE-2024-45492
https://scout.docker.com/v/CVE-2024-45492?s=alpine&n=expat&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C2.6.3-r0
Affected range : <2.6.3-r0
Fixed version : 2.6.3-r0
✗ CRITICAL CVE-2024-45491
https://scout.docker.com/v/CVE-2024-45491?s=alpine&n=expat&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C2.6.3-r0
Affected range : <2.6.3-r0
Fixed version : 2.6.3-r0
✗ CRITICAL CVE-2024-45490
https://scout.docker.com/v/CVE-2024-45490?s=alpine&n=expat&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C2.6.3-r0
Affected range : <2.6.3-r0
Fixed version : 2.6.3-r0
1C 1H 1M 0L 2? openssl 3.1.4-r5 pkg:apk/alpine/openssl@3.1.4-r5?os_name=alpine&os_version=3.19
✗ CRITICAL CVE-2024-5535
https://scout.docker.com/v/CVE-2024-5535?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.6-r0
Affected range : <3.1.6-r0
Fixed version : 3.1.6-r0
✗ HIGH CVE-2024-6119
https://scout.docker.com/v/CVE-2024-6119?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.7-r0
Affected range : <3.1.7-r0
Fixed version : 3.1.7-r0
✗ MEDIUM CVE-2024-4603
https://scout.docker.com/v/CVE-2024-4603?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.5-r0
Affected range : <3.1.5-r0
Fixed version : 3.1.5-r0
✗ UNSPECIFIED CVE-2024-4741
https://scout.docker.com/v/CVE-2024-4741?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.6-r0
Affected range : <3.1.6-r0
Fixed version : 3.1.6-r0
✗ UNSPECIFIED CVE-2024-2511
https://scout.docker.com/v/CVE-2024-2511?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.4-r6
Affected range : <3.1.4-r6
Fixed version : 3.1.4-r6
0C 1H 5M 3L 1? org.keycloak/keycloak-core 22.0.1 pkg:maven/org.keycloak/keycloak-core@22.0.1
✗ HIGH CVE-2023-6291 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2023-6291?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C22.0.7
Affected range : <22.0.7
Fixed version : 23.0.0
CVSS Score : 7.1
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
✗ MEDIUM CVE-2023-6841 [Improper Handling of Extra Values]
https://scout.docker.com/v/CVE-2023-6841?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C24.0.0
Affected range : <24.0.0
Fixed version : 24.0.0
CVSS Score : 6.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
✗ MEDIUM CVE-2023-6134 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2023-6134?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C22.0.7
Affected range : <22.0.7
Fixed version : 23.0.0
CVSS Score : 5.4
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
✗ MEDIUM CVE-2024-7318 [Use of a Key Past its Expiration Date]
https://scout.docker.com/v/CVE-2024-7318?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C24.0.7
Affected range : <24.0.7
Fixed version : 24.0.7
CVSS Score : 4.8
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
✗ MEDIUM CVE-2024-7260 [URL Redirection to Untrusted Site ('Open Redirect')]
https://scout.docker.com/v/CVE-2024-7260?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C24.0.7
Affected range : <24.0.7
Fixed version : 24.0.7
CVSS Score : 4.4
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
✗ MEDIUM GHSA-9vm7-v8wj-3fqw [URL Redirection to Untrusted Site ('Open Redirect')]
https://scout.docker.com/v/GHSA-9vm7-v8wj-3fqw?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C23.0.4
Affected range : <23.0.4
Fixed version : 23.0.4
✗ LOW CVE-2024-1722 [Overly Restrictive Account Lockout Mechanism]
https://scout.docker.com/v/CVE-2024-1722?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C%3D23.0.5
Affected range : <=23.0.5
Fixed version : 24.0.0
CVSS Score : 3.7
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
✗ LOW GHSA-gmrm-8fx4-66x7 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/GHSA-gmrm-8fx4-66x7?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C%3D24.0.5
Affected range : <=24.0.5
Fixed version : not fixed
CVSS Score : 2.7
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
✗ LOW CVE-2024-5967 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2024-5967?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C%3D24.0.5
Affected range : <=24.0.5
Fixed version : not fixed
CVSS Score : 2.7
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
✗ UNSPECIFIED GMS-2024-51 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/GMS-2024-51?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C23.0.4
Affected range : <23.0.4
Fixed version : 23.0.4
0C 1H 0M 0L org.keycloak/keycloak-server-spi-private 22.0.1 pkg:maven/org.keycloak/keycloak-server-spi-private@22.0.1
✗ HIGH CVE-2023-6291 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2023-6291?s=gitlab&n=keycloak-server-spi-private&ns=org.keycloak&t=maven&vr=%3C22.0.7
Affected range : <22.0.7
Fixed version : 23.0.0
CVSS Score : 7.1
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
0C 0H 4M 0L busybox 1.36.1-r15 pkg:apk/alpine/busybox@1.36.1-r15?os_name=alpine&os_version=3.19
✗ MEDIUM CVE-2023-42366
https://scout.docker.com/v/CVE-2023-42366?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r16
Affected range : <1.36.1-r16
Fixed version : 1.36.1-r16
✗ MEDIUM CVE-2023-42365
https://scout.docker.com/v/CVE-2023-42365?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r19
Affected range : <1.36.1-r19
Fixed version : 1.36.1-r19
✗ MEDIUM CVE-2023-42364
https://scout.docker.com/v/CVE-2023-42364?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r19
Affected range : <1.36.1-r19
Fixed version : 1.36.1-r19
✗ MEDIUM CVE-2023-42363
https://scout.docker.com/v/CVE-2023-42363?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r17
Affected range : <1.36.1-r17
Fixed version : 1.36.1-r17
0C 0H 1M 1L com.google.guava/guava 31.0.1-android pkg:maven/com.google.guava/guava@31.0.1-android
✗ MEDIUM CVE-2023-2976 [Creation of Temporary File in Directory with Insecure Permissions]
https://scout.docker.com/v/CVE-2023-2976?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D1.0%2C%3C32.0.0-android
Affected range : >=1.0
: <32.0.0-android
Fixed version : 32.0.0
CVSS Score : 5.5
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
✗ LOW CVE-2020-8908 [Improper Handling of Alternate Encoding]
https://scout.docker.com/v/CVE-2020-8908?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3C32.0.0-android
Affected range : <32.0.0-android
Fixed version : 32.0.0
CVSS Score : 3.3
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0C 0H 1M 0L org.apache.zookeeper/zookeeper 3.8.3 pkg:maven/org.apache.zookeeper/zookeeper@3.8.3
✗ MEDIUM CVE-2024-23944 [Exposure of Sensitive Information to an Unauthorized Actor]
https://scout.docker.com/v/CVE-2024-23944?s=github&n=zookeeper&ns=org.apache.zookeeper&t=maven&vr=%3E%3D3.8.0%2C%3C%3D3.8.3
Affected range : >=3.8.0
: <=3.8.3
Fixed version : 3.8.4
0C 0H 1M 0L org.apache.james/apache-mime4j-core 0.8.9 pkg:maven/org.apache.james/apache-mime4j-core@0.8.9
✗ MEDIUM CVE-2024-21742 [Improper Input Validation]
https://scout.docker.com/v/CVE-2024-21742?s=github&n=apache-mime4j-core&ns=org.apache.james&t=maven&vr=%3C0.8.10
Affected range : <0.8.10
Fixed version : 0.8.10
27 vulnerabilities found in 8 packages
UNSPECIFIED 3
LOW 4
MEDIUM 13
HIGH 3
CRITICAL 4
What's next: View base image update recommendations → docker scout recommendations snyk-test-image:snyk-test
More research, this time trying out Trivy @PatrickGoRaft. Trivy picks up more vulnerabilities than snyk but also still has cves that scout picks up that it doesn't. Perhaps we could combine snyk and trivy to get most of the cves that scout would report on.
Let's implement this using snyk and trivy if we want it functioning like docker scout
Confirm leveraging the service snyk will be a suitable alternative to baking in a github action docker scout solution