search

docker / scout-cli

Docker Scout CLI
https://docker.com/products/docker-scout
Other
250 stars 60 forks source link

CVE is only detected when package is installed, not when it's built from source #128

Open gergelyfabian opened 6 days ago

gergelyfabian commented 6 days ago

Example CVE:

https://scout.docker.com/vulnerabilities/id/CVE-2023-41915?s=ubuntu&n=pmix&ns=ubuntu&t=deb&osn=ubuntu&osv=22.04&vr=%3E%3D0

Compare:

  1. Installing package
FROM ubuntu:22.04

RUN apt-get update && apt-get install -y libpmix2

CVE is detected.

  1. Building from source
FROM ubuntu:22.04

RUN apt-get update && apt-get install -y \
    wget \
    tar \
    libevent-dev \
    libhwloc-dev \
    build-essential \
    python3

ARG DOCKER_PMIX_VERSION=4.1.2
RUN wget https://github.com/openpmix/openpmix/releases/download/v${DOCKER_PMIX_VERSION}/pmix-${DOCKER_PMIX_VERSION}.tar.gz && \
    tar -xzvf pmix-${DOCKER_PMIX_VERSION}.tar.gz && \
    cd pmix-${DOCKER_PMIX_VERSION} && \
    ./configure --prefix=/usr/local && \
    make && \
    make install

RUN apt purge -y build-essential linux-libc-dev && apt autoremove -y

CVE is not detected

Is this expected?