Scan the current version of the image using a command like trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
Validate that the CVEs are detected using trivy. The provided scans were taken using a different scanner (ECR), so the first step should be to validate that trivy can see them as well.
Iterate to resolve the vulnerabilities. trivy enables you to scan the image without pushing them, so it should help in finding the resolution
Test and publish the fix version, and let us know where we can find the fixed image(s) so we can validate the fixes on our side as well.
Note that we disregard the severity levels assigned by various tools and operate soley on CVSS in line with NIST guidelines. Also note that this scan was performed by ECR, so the results will likely be different. It is in our experience that Trivy produces more results than ECR or Prisma.
Image
I noticed several vulnerabilities showing up attributed to Wave in downstream projects, and built the following simple Dockerfile that I could use to perform scanning:
FROM python:3.12-slim AS BUILD
RUN useradd -rm -d /home/wave -s /bin/bash -g root -G sudo -u 1001 wave
USER wave
WORKDIR /home/wave
RUN python -m venv venv
COPY requirements.txt .
RUN venv/bin/pip install -r requirements.txt
FROM gcr.io/distroless/static AS runtime
COPY --from=BUILD /home/wave /home/wave
requirements.txt:
h2o-wave
The listed Vulnerabilities are picked up in the waved binary at /home/wave/venv/waved
Hello! As part of our ongoing to ensure the security of our products, one or more vulnerabilties requiring redmediation have been identified.
To resolve this, we recommend the following approach:
trivy
(https://aquasecurity.github.io/trivy)trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
trivy
. The provided scans were taken using a different scanner (ECR), so the first step should be to validate thattrivy
can see them as well.trivy
enables you to scan the image without pushing them, so it should help in finding the resolutionNote that we disregard the severity levels assigned by various tools and operate soley on CVSS in line with NIST guidelines. Also note that this scan was performed by ECR, so the results will likely be different. It is in our experience that Trivy produces more results than ECR or Prisma.
Image
I noticed several vulnerabilities showing up attributed to Wave in downstream projects, and built the following simple Dockerfile that I could use to perform scanning:
requirements.txt:
The listed Vulnerabilities are picked up in the
waved
binary at/home/wave/venv/waved
The output of the
pip install
is as follows: