Check whether the file has been patched update

[winnie008]

Hi team,

We notice there is an updated image “4.7.2-20231114-windowsservercore-ltsc2019” from the doc (https://[hub.docker.com](https://hub.docker.com/_/microsoft-dotnet-framework-runtime/)/_/microsoft-dotnet-framework-runtime/), however, this image is still detected vulnerability finding "Microsoft .NET Framework Update for November 2023" in Microsoft Defender for Cloud.

Could you please verify whether the base file has been patched update?

Thanks for your help!

[dbreshears]

@winnie008, the images themselves are maintained at https://github.com/dotnet/dotnet-docker. I'm unable to transfer this issue, can you open an issue there for this?

[lbussell]

Hi @winnie008, I am a maintainer for that image (Dockerfile). The version of .NET in this image comes from the Windows base layer. We don't install anything extra.

I checked the layers in our image using docker history and compared them to the Windows base image. The latest versions of mcr.microsoft.com/windows/servercore:ltsc2019-amd64 and mcr.microsoft.com/dotnet/framework/runtime:4.7.2-20231114-windowsservercore-ltsc2019 contain the same Windows version: 10.0.17763.5122.

I will get in touch with the Windows container team about a potential false positive here.

[winnie008]

Hi @lbussell, it means you will check with Windows container team if the image has been patched update, do I understand correct? Thanks!

[winnie008]

Hi @lbussell, are there any updates?

[lbussell]

Hi @winnie008, apologies as things are slow here due to the holidays. New Windows base images were released on 2023-12-12 (December Patch Tuesday), and all of the official .NET Framework images were re-built at the same time. There were no .NET Framework feature updates so the runtime tags remain the same. Can you please try running docker pull mcr.microsoft.com/dotnet/framework/runtime:4.7.2-20231114-windowsservercore-ltsc2019 (or whichever tag you are using) and then check for the vulnerability again? Thanks.