Open majewsky opened 5 years ago
I can confirm this. Currently there is a Vulnerabilty in systemd in the debian:9 image, howerver I do an apt-get upgrade in my images which upgrades to a fixed version. Still klar reports the error in the base layer.
Same problem here, for glibc and systemd
The image
debian:stretch-slim
from Docker Hub, as of now, has a vulnerable glibc version:My own image is based on that, but I do
apt update
as part of the image build process, so the final image has the fixed version:However, klar still reports glibc as being vulnerable against the same CVEs. I checked with mitmproxy: klar uploads all layers of the image, but then only asks for the vulnerabilities of the first layer and stops there (presumably because it found vulnerabilities).
I'm not entirely sure if I'm holding something wrong here, because it doesn't make sense to me that Klar looks for vulnerabilities in the base layer. I'm not running the base layer, I'm running the entire image only.