Closed kmeekva closed 1 year ago
@kmeekva, thanks for raising this. I can see that we are currently behind processing the RedHat advisory data. The required update is now in our data processing pipeline and will show up soon. I'll report back once we have confirmation that the data has been updated.
@kmeekva, the advisory data has now caught up and this CVE should not get reported any longer on your image. Would you be able confirm this by running the docker scout
command again?
@cdupuis, I can confirm it is no longer showing that as vulnerability.
Thanks for the quick attention to this.
Closing the issue.
šš½ Thanks for reporting back!
Just trying out SCOUT -- looks like a great tool.
But when I scan an image based on Redhat 8 it finds vulnerabilities like this one -- identified as Not Fixed:
pkg:rpm/redhatlinux/openssl@1:1.1.1k-9.el8_7?os_name=redhatlinux&os_version=8
However, Redhat says it addressed the issue: with the version of the RPM we have installed: The Redhad CVE page: https://access.redhat.com/security/cve/cve-2023-0286 Refers to https://access.redhat.com/errata/RHSA-2023:1405 Which on the update tab says that the CVE was addressed with version: openssl-1.1.1k-9.el8_7.x86_64.rpm
Which I think is the version identified in the scout output: pkg:rpm/redhatlinux/openssl@1:1.1.1k-9.el8_7?
Is there something I need to do to get updated CVE database for the scout scans?
The docker cve page: https://dso.docker.com/cve/CVE-2023-0286 Was last updated 3 months ago -- maybe that is the issue? It has not been updated with Redhat solution?
Kevin