search

docker / scout-cli

Docker Scout CLI
https://docker.com/products/docker-scout
Other
250 stars 60 forks source link

False positive when a *.deps.json file contains a dependency to a vulnerable package #93

Closed CorneliaS closed 3 weeks ago

CorneliaS commented 5 months ago

Publishing a C# project as "self-contained" adds numerous dependencies in the *.deps.json file with versions that do not always represent the version in use.

For example, a C# Asp.Net project (.net 6.0) with the dependency to "System.Net.Http" version 4.3.4 creates a deps.json file where the reference is to the System.Private.Uri.dll of version "6.0.0.0", but refers to version 4.3.0 for "runtime.any.System.Runtime/4.3.0" (and others).

If you include the deps.json file in a Docker image and check that image for vulnerabilities, Docker Scout (version 1.3) detects 3 vulnerabilities for System.Private.Uri.dll version 4.3.0. Apart from the mention in the *.deps.json file, the version would never be used. (The version of System.Private.Uri included in the release folder is version "6.0.0.0")

Please correct me if I am wrong: I think the result is a false positive.

Docker Scout version 1.2.2 and "dotnet list xxx.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json" have not detected any vulnerability here.

Attached you finde an example of the deps.json file: WebApplication1.deps.json

Update: Steps to reproduce

Create an image with the WebApplication1.deps.json file: Dockerfile:

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base COPY WebApplication1.deps.json .

Image creation: docker build -t testimage:latest -f .\Dockerfile . Run docker scout cli for that image returns the System.Private.Uri.dll vulnerabilities

Astral100 commented 3 months ago

I have a similar issue. Have there been any kind of update or resolution since then?

cdupuis commented 3 months ago

Sorry for the silence on this issue. We are aware and will address this with the next release of the CLI.

cdupuis commented 2 months ago

The lastest CLI should fix this issue.

CorneliaS commented 2 months ago

I can still reproduce this behavior with docker/scout-cli:latest (version 1.7.1). I've added an update with the steps to reproduce in the first post.

cdupuis commented 2 months ago

Oh, I was ahead of time. This is going to get released with the next version.

CorneliaS commented 2 months ago

Great! Thank you :)

cdupuis commented 3 weeks ago

The fix was released.