msharbaji
commented
2 months ago - CVE-2024-28085: https://avd.aquasec.com/nvd/cve-2024-28085
Closed msharbaji closed 2 months ago
msharbaji
commented
2 months ago 
markvincze
commented
2 months ago @msharbaji Thanks for the submission!
Do I see it correctly that we're downgrading the base image version? Is that intentional? Isn't there a newer version where the vulnerability is fixed? For example I see that the latest 3.12 version is 3.12.2-alpine.
markvincze
commented
2 months ago I would also be okay with not specifying the PATCH number, so just using 3.12-alpine.
msharbaji
commented
2 months ago @markvincze Ah, it's indeed my bad :), it's not intentional, I missed taking a look on minor version, I just was looking on patches :), yes, this version should work
trivy image python:3.12.2-alpine
2024-04-08T11:44:16.592+0200 INFO Vulnerability scanning is enabled
2024-04-08T11:44:16.592+0200 INFO Secret scanning is enabled
2024-04-08T11:44:16.592+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-08T11:44:16.592+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-04-08T11:44:17.765+0200 INFO Detected OS: alpine
2024-04-08T11:44:17.765+0200 WARN This OS version is not on the EOL list: alpine 3.19
2024-04-08T11:44:17.765+0200 INFO Detecting Alpine vulnerabilities...
2024-04-08T11:44:17.767+0200 INFO Number of language-specific files: 1
2024-04-08T11:44:17.768+0200 INFO Detecting python-pkg vulnerabilities...
python:3.12.2-alpine (alpine 3.19.1)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)