How does docker-scout determine version numbers of compiled artefacts?

[wood-jp]

We recently started to use Docker Scout, and one of our images came back with many high and critical issues. Looking closer everything was related to github.com/ethereum/go-ethereum which DS thinks we are using v1.4.4 and built with go version < 1.15. However, this is not the case at all. While the image contains a version of geth, it is a fork based on v1.13.8 built using go 1.21.9.

I cannot give anything more specific at this time, but I am confused how Docker Scout arrived at this conclusion and if there is something I should be doing to help DS correctly identify what it is scanning.

[cdupuis]

When specifying --locations on the CLI you see exactly where Docker Scout detected those packages. For Go versions and dependencies, Docker Scout uses the compiled dependency data inside Go binaries.

If you can provide a sample image or Dockerfile, I'm happy to take a look too.

[injectedfusion]

@cdupuis, it's a private docker hub repository; what's the proper procedure to bring this to official docker support in a secure manner?

[cdupuis]

There’s https://hub.docker.com/support/contact/ to open a Support Ticket.

Alternatively, you can email me directly at “firstname dot last name” at docker.com. My name is in my public GitHub profile.

[wood-jp]

Ticket submitted there. Thanks @cdupuis.