cfpb / hmda-platform

The HMDA Submission backend applications.
Creative Commons Zero v1.0 Universal
102 stars 93 forks source link

Docker Scout Alternative Research #4906

Closed PatrickGoRaft closed 3 weeks ago

PatrickGoRaft commented 1 month ago

Confirm leveraging the service snyk will be a suitable alternative to baking in a github action docker scout solution

jaredb96 commented 1 month ago

Research results @PatrickGoRaft: It looks like snyk is a strictly worse cve scanner than docker scout. Docker scout includes all the cves that snyk detects and more.

Snyk Scan:

Testing snyk-test-image:snyk-test...

✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-2511 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-6593965 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.4-r6

✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-4603 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-6928853 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.5-r0

✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-5535 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7413523 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.6-r0

✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-4741 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7413527 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.6-r0

✗ Low severity vulnerability found in openssl/libcrypto3 Description: CVE-2024-6119 Info: https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7895536 Introduced through: openssl/libcrypto3@3.1.4-r5, apk-tools/apk-tools@2.14.0-r5, busybox/ssl_client@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, openssl/libssl3@3.1.4-r5 From: openssl/libcrypto3@3.1.4-r5 From: apk-tools/apk-tools@2.14.0-r5 > openssl/libcrypto3@3.1.4-r5 From: busybox/ssl_client@1.36.1-r15 > openssl/libcrypto3@3.1.4-r5 and 5 more... Fixed in: 3.1.7-r0

✗ Medium severity vulnerability found in busybox/busybox Description: Out-of-bounds Write Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6913413 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r16

✗ Medium severity vulnerability found in busybox/busybox Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6928845 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r19

✗ Medium severity vulnerability found in busybox/busybox Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6928846 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r19

✗ Medium severity vulnerability found in busybox/busybox Description: Use After Free Info: https://security.snyk.io/vuln/SNYK-ALPINE319-BUSYBOX-6928847 Introduced through: busybox/busybox@1.36.1-r15, alpine-baselayout/alpine-baselayout@3.4.3-r2, busybox/busybox-binsh@1.36.1-r15, ca-certificates/ca-certificates@20240226-r0, font-dejavu/font-dejavu@2.37-r5, busybox/ssl_client@1.36.1-r15 From: busybox/busybox@1.36.1-r15 From: alpine-baselayout/alpine-baselayout@3.4.3-r2 > busybox/busybox-binsh@1.36.1-r15 > busybox/busybox@1.36.1-r15 From: busybox/busybox-binsh@1.36.1-r15 and 5 more... Fixed in: 1.36.1-r17

✗ Critical severity vulnerability found in expat/libexpat Description: XML External Entity (XXE) Injection Info: https://security.snyk.io/vuln/SNYK-ALPINE319-EXPAT-7908399 Introduced through: expat/libexpat@2.6.2-r0, font-dejavu/font-dejavu@2.37-r5 From: expat/libexpat@2.6.2-r0 From: font-dejavu/font-dejavu@2.37-r5 > fontconfig/fontconfig@2.14.2-r4 > expat/libexpat@2.6.2-r0 Fixed in: 2.6.3-r0

✗ Critical severity vulnerability found in expat/libexpat Description: Integer Overflow or Wraparound Info: https://security.snyk.io/vuln/SNYK-ALPINE319-EXPAT-7908400 Introduced through: expat/libexpat@2.6.2-r0, font-dejavu/font-dejavu@2.37-r5 From: expat/libexpat@2.6.2-r0 From: font-dejavu/font-dejavu@2.37-r5 > fontconfig/fontconfig@2.14.2-r4 > expat/libexpat@2.6.2-r0 Fixed in: 2.6.3-r0

✗ Critical severity vulnerability found in expat/libexpat Description: Integer Overflow or Wraparound Info: https://security.snyk.io/vuln/SNYK-ALPINE319-EXPAT-7908409 Introduced through: expat/libexpat@2.6.2-r0, font-dejavu/font-dejavu@2.37-r5 From: expat/libexpat@2.6.2-r0 From: font-dejavu/font-dejavu@2.37-r5 > fontconfig/fontconfig@2.14.2-r4 > expat/libexpat@2.6.2-r0 Fixed in: 2.6.3-r0

Organization: kjaredb96 Package manager: apk Project name: docker-image|snyk-test-image Docker image: snyk-test-image:snyk-test Platform: linux/amd64 Base image: alpine:3.19.1 Licenses: enabled

Tested 39 dependencies for known issues, found 12 issues.

Base Image Vulnerabilities Severity alpine:3.19.1 9 0 critical, 0 high, 4 medium, 5 low

Recommendations for base image upgrade:

Minor upgrades Base Image Vulnerabilities Severity alpine:3.19.4 0 0 critical, 0 high, 0 medium, 0 low

Learn more: https://docs.snyk.io/products/snyk-container/getting-around-the-snyk-container-ui/base-image-detection


Testing snyk-test-image:snyk-test...

Tested 132 dependencies for known issues, found 9 issues.

⚠ Warning! Some dependencies in this project could not be identified.

Issues with no direct upgrade or patch: ✗ Creation of Temporary File in Directory with Insecure Permissions [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-5710356] in com.google.guava:guava@31.0.1-android introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > com.google.guava:guava@31.0.1-android This issue was fixed in versions: 32.0.0-android, 32.0.0-jre ✗ Header Injection [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEJAMES-6282851] in org.apache.james:apache-mime4j-core@0.8.9 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.apache.james:apache-mime4j-core@0.8.9 This issue was fixed in versions: 0.8.10 ✗ Open Redirect [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-6230634] in org.keycloak:keycloak-common@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-common@22.0.1 This issue was fixed in versions: 23.0.4 ✗ Path Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-6618056] in org.keycloak:keycloak-common@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-common@22.0.1 This issue was fixed in versions: 24.0.3 ✗ Missing Critical Step in Authentication [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-6616016] in org.keycloak:keycloak-server-spi-private@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-server-spi-private@22.0.1 This issue was fixed in versions: 22.0.10, 24.0.3 ✗ Cross-Site Request Forgery (CSRF) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-7247314] in org.keycloak:keycloak-server-spi-private@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-server-spi-private@22.0.1 No upgrade or patch available ✗ URL Redirection to Untrusted Site ('Open Redirect') [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-8061810] in org.keycloak:keycloak-server-spi-private@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-server-spi-private@22.0.1 This issue was fixed in versions: 22.0.13, 24.0.8, 25.0.6 ✗ Unprotected Transport of Credentials [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-7268350] in org.keycloak:keycloak-core@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-core@22.0.1 This issue was fixed in versions: 24.0.6, 25.0.1 ✗ Improper Handling of Extra Values [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-7926864] in org.keycloak:keycloak-core@22.0.1 introduced by unknown:/opt/docker/lib/hmda2.jar@unknown > org.keycloak:keycloak-core@22.0.1 This issue was fixed in versions: 24.0.0

Organization: kjaredb96 Package manager: maven Target file: /opt/docker/lib Project name: snyk-test-image:snyk-test:/opt/docker/lib Docker image: snyk-test-image:snyk-test Licenses: enabled

Snyk wasn’t able to auto detect the base image, use --file option to get base image remediation advice. Example: $ snyk container test snyk-test-image:snyk-test --file=path/to/Dockerfile

Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.

To remove these messages in the future, please run snyk config set disableSuggestions=true


Testing snyk-test-image:snyk-test...

Organization: kjaredb96 Package manager: maven Target file: /opt/java/openjdk/lib Project name: snyk-test-image:snyk-test:/opt/java/openjdk/lib Docker image: snyk-test-image:snyk-test Licenses: enabled

✔ Tested snyk-test-image:snyk-test for known issues, no vulnerable paths found.

Tested 3 projects, 2 contained vulnerable paths.

Docker Scan:

Overview

                │           Analyzed Image            

────────────────────┼───────────────────────────────────── Target │ snyk-test-image:snyk-test
digest │ e895ee4e92a8
platform │ linux/amd64
vulnerabilities │ 4C 3H 13M 4L 3?
size │ 422 MB
packages │ 185

Packages and Vulnerabilities

3C 0H 0M 0L expat 2.6.2-r0 pkg:apk/alpine/expat@2.6.2-r0?os_name=alpine&os_version=3.19

✗ CRITICAL CVE-2024-45492
  https://scout.docker.com/v/CVE-2024-45492?s=alpine&n=expat&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C2.6.3-r0
  Affected range : <2.6.3-r0  
  Fixed version  : 2.6.3-r0   

✗ CRITICAL CVE-2024-45491
  https://scout.docker.com/v/CVE-2024-45491?s=alpine&n=expat&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C2.6.3-r0
  Affected range : <2.6.3-r0  
  Fixed version  : 2.6.3-r0   

✗ CRITICAL CVE-2024-45490
  https://scout.docker.com/v/CVE-2024-45490?s=alpine&n=expat&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C2.6.3-r0
  Affected range : <2.6.3-r0  
  Fixed version  : 2.6.3-r0   

1C 1H 1M 0L 2? openssl 3.1.4-r5 pkg:apk/alpine/openssl@3.1.4-r5?os_name=alpine&os_version=3.19

✗ CRITICAL CVE-2024-5535
  https://scout.docker.com/v/CVE-2024-5535?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.6-r0
  Affected range : <3.1.6-r0  
  Fixed version  : 3.1.6-r0   

✗ HIGH CVE-2024-6119
  https://scout.docker.com/v/CVE-2024-6119?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.7-r0
  Affected range : <3.1.7-r0  
  Fixed version  : 3.1.7-r0   

✗ MEDIUM CVE-2024-4603
  https://scout.docker.com/v/CVE-2024-4603?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.5-r0
  Affected range : <3.1.5-r0  
  Fixed version  : 3.1.5-r0   

✗ UNSPECIFIED CVE-2024-4741
  https://scout.docker.com/v/CVE-2024-4741?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.6-r0
  Affected range : <3.1.6-r0  
  Fixed version  : 3.1.6-r0   

✗ UNSPECIFIED CVE-2024-2511
  https://scout.docker.com/v/CVE-2024-2511?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C3.1.4-r6
  Affected range : <3.1.4-r6  
  Fixed version  : 3.1.4-r6   

0C 1H 5M 3L 1? org.keycloak/keycloak-core 22.0.1 pkg:maven/org.keycloak/keycloak-core@22.0.1

✗ HIGH CVE-2023-6291 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/CVE-2023-6291?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C22.0.7
  Affected range : <22.0.7                                       
  Fixed version  : 23.0.0                                        
  CVSS Score     : 7.1                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L  

✗ MEDIUM CVE-2023-6841 [Improper Handling of Extra Values]
  https://scout.docker.com/v/CVE-2023-6841?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C24.0.0
  Affected range : <24.0.0                                       
  Fixed version  : 24.0.0                                        
  CVSS Score     : 6.5                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H  

✗ MEDIUM CVE-2023-6134 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/CVE-2023-6134?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C22.0.7
  Affected range : <22.0.7                                       
  Fixed version  : 23.0.0                                        
  CVSS Score     : 5.4                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N  

✗ MEDIUM CVE-2024-7318 [Use of a Key Past its Expiration Date]
  https://scout.docker.com/v/CVE-2024-7318?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C24.0.7
  Affected range : <24.0.7                                       
  Fixed version  : 24.0.7                                        
  CVSS Score     : 4.8                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N  

✗ MEDIUM CVE-2024-7260 [URL Redirection to Untrusted Site ('Open Redirect')]
  https://scout.docker.com/v/CVE-2024-7260?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C24.0.7
  Affected range : <24.0.7                                       
  Fixed version  : 24.0.7                                        
  CVSS Score     : 4.4                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N  

✗ MEDIUM GHSA-9vm7-v8wj-3fqw [URL Redirection to Untrusted Site ('Open Redirect')]
  https://scout.docker.com/v/GHSA-9vm7-v8wj-3fqw?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C23.0.4
  Affected range : <23.0.4  
  Fixed version  : 23.0.4   

✗ LOW CVE-2024-1722 [Overly Restrictive Account Lockout Mechanism]
  https://scout.docker.com/v/CVE-2024-1722?s=github&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C%3D23.0.5
  Affected range : <=23.0.5                                      
  Fixed version  : 24.0.0                                        
  CVSS Score     : 3.7                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L  

✗ LOW GHSA-gmrm-8fx4-66x7 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GHSA-gmrm-8fx4-66x7?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C%3D24.0.5
  Affected range : <=24.0.5                                      
  Fixed version  : not fixed                                     
  CVSS Score     : 2.7                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N  

✗ LOW CVE-2024-5967 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/CVE-2024-5967?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C%3D24.0.5
  Affected range : <=24.0.5                                      
  Fixed version  : not fixed                                     
  CVSS Score     : 2.7                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N  

✗ UNSPECIFIED GMS-2024-51 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/GMS-2024-51?s=gitlab&n=keycloak-core&ns=org.keycloak&t=maven&vr=%3C23.0.4
  Affected range : <23.0.4  
  Fixed version  : 23.0.4   

0C 1H 0M 0L org.keycloak/keycloak-server-spi-private 22.0.1 pkg:maven/org.keycloak/keycloak-server-spi-private@22.0.1

✗ HIGH CVE-2023-6291 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://scout.docker.com/v/CVE-2023-6291?s=gitlab&n=keycloak-server-spi-private&ns=org.keycloak&t=maven&vr=%3C22.0.7
  Affected range : <22.0.7                                       
  Fixed version  : 23.0.0                                        
  CVSS Score     : 7.1                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L  

0C 0H 4M 0L busybox 1.36.1-r15 pkg:apk/alpine/busybox@1.36.1-r15?os_name=alpine&os_version=3.19

✗ MEDIUM CVE-2023-42366
  https://scout.docker.com/v/CVE-2023-42366?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r16
  Affected range : <1.36.1-r16  
  Fixed version  : 1.36.1-r16   

✗ MEDIUM CVE-2023-42365
  https://scout.docker.com/v/CVE-2023-42365?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r19
  Affected range : <1.36.1-r19  
  Fixed version  : 1.36.1-r19   

✗ MEDIUM CVE-2023-42364
  https://scout.docker.com/v/CVE-2023-42364?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r19
  Affected range : <1.36.1-r19  
  Fixed version  : 1.36.1-r19   

✗ MEDIUM CVE-2023-42363
  https://scout.docker.com/v/CVE-2023-42363?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.19&vr=%3C1.36.1-r17
  Affected range : <1.36.1-r17  
  Fixed version  : 1.36.1-r17   

0C 0H 1M 1L com.google.guava/guava 31.0.1-android pkg:maven/com.google.guava/guava@31.0.1-android

✗ MEDIUM CVE-2023-2976 [Creation of Temporary File in Directory with Insecure Permissions]
  https://scout.docker.com/v/CVE-2023-2976?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D1.0%2C%3C32.0.0-android
  Affected range : >=1.0                                         
                 : <32.0.0-android                               
  Fixed version  : 32.0.0                                        
  CVSS Score     : 5.5                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  

✗ LOW CVE-2020-8908 [Improper Handling of Alternate Encoding]
  https://scout.docker.com/v/CVE-2020-8908?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3C32.0.0-android
  Affected range : <32.0.0-android                               
  Fixed version  : 32.0.0                                        
  CVSS Score     : 3.3                                           
  CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N  

0C 0H 1M 0L org.apache.zookeeper/zookeeper 3.8.3 pkg:maven/org.apache.zookeeper/zookeeper@3.8.3

✗ MEDIUM CVE-2024-23944 [Exposure of Sensitive Information to an Unauthorized Actor]
  https://scout.docker.com/v/CVE-2024-23944?s=github&n=zookeeper&ns=org.apache.zookeeper&t=maven&vr=%3E%3D3.8.0%2C%3C%3D3.8.3
  Affected range : >=3.8.0  
                 : <=3.8.3  
  Fixed version  : 3.8.4    

0C 0H 1M 0L org.apache.james/apache-mime4j-core 0.8.9 pkg:maven/org.apache.james/apache-mime4j-core@0.8.9

✗ MEDIUM CVE-2024-21742 [Improper Input Validation]
  https://scout.docker.com/v/CVE-2024-21742?s=github&n=apache-mime4j-core&ns=org.apache.james&t=maven&vr=%3C0.8.10
  Affected range : <0.8.10  
  Fixed version  : 0.8.10   

27 vulnerabilities found in 8 packages UNSPECIFIED 3
LOW 4
MEDIUM 13
HIGH 3
CRITICAL 4

What's next: View base image update recommendations → docker scout recommendations snyk-test-image:snyk-test

jaredb96 commented 1 month ago

More research, this time trying out Trivy @PatrickGoRaft. Trivy picks up more vulnerabilities than snyk but also still has cves that scout picks up that it doesn't. Perhaps we could combine snyk and trivy to get most of the cves that scout would report on.

jaredb96 commented 1 month ago

trivy-cves.md

jaredb96 commented 3 weeks ago

Let's implement this using snyk and trivy if we want it functioning like docker scout