search

docker / scout-cli

Docker Scout CLI
https://docker.com/products/docker-scout
Other
250 stars 60 forks source link

Incorrect version of a Go binary #121

Closed DarthSim closed 3 weeks ago

DarthSim commented 1 month ago

Hey there πŸ‘‹

I tried to scan our Docker image darthsim/imgproxy and Docker Scout showed me the following:

   0C     0H     2M     0L  github.com/imgproxy/imgproxy/v3 1.16.1
pkg:golang/github.com/imgproxy/imgproxy@1.16.1#v3

8: sha256:18436b7d64882172a67da66d92933986097b6caf61c5147e55c4347e2904b3c9
/usr/local/bin/imgproxy (evident by)

    βœ— MEDIUM CVE-2023-1496 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
      https://scout.docker.com/v/CVE-2023-1496
      Affected range : <3.14.0
      Fixed version  : 3.14.0
      CVSS Score     : 5.4
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

    βœ— MEDIUM CVE-2023-30019 [Server-Side Request Forgery (SSRF)]
      https://scout.docker.com/v/CVE-2023-30019
      Affected range : <3.15.0
      Fixed version  : 3.15.0
      CVSS Score     : 5.3
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

The thing is that /usr/local/bin/imgproxy is an imgproxy v3.24.1 binary. A more interesting thing is that imgproxy doesn't even have version 1.16.1.

Is there a way to make DS to extract the correct version from the binary?

cdupuis commented 1 month ago

@DarthSim, thanks for raising this. Sorry for the inconvenience.

I think this is similar or related to #120. We have work in progress to address the issues around Go module version detection. I'll verify with your image that this is indeed the same issue we are seeing with #120. Thanks again.

cdupuis commented 3 weeks ago

The fix was released.

DarthSim commented 3 weeks ago

Thanks a lot!