Closed SaptarshiSarkar12 closed 1 week ago
@SaptarshiSarkar12 oracle linux reports vulnerabilities in a way that causes false positives, you can see troubleshooting for more info https://project-copacetic.github.io/copacetic/website/next/troubleshooting
Hi @ashnamehrotra :wave:! So, if all the unfixed CVEs false positives, then, is it safe to close them as false positives? Is Trivy responsible for reporting the false positives that oracle linux passes to it?
@SaptarshiSarkar12 yes that is correct. If you run the resulting patched image from the update all/no scanner approach and check for gnutls package updates, it will show that there are no upgrades available to patch.
@ashnamehrotra Okay. Thank you
Version of copa
v0.7.0-50-gf32017a
Expected Behavior
Copa should be able to fix all the vulnerabilities reported by Trivy.
Actual Behavior
Trivy had reported 5 vulnerabilities which are fixed already. Trivy created a JSON file with details of the vulnerabilities and on passing it to Capo for patching the image, it patched only 2 (the
krb-5
package vulnerabilities) out of the 5 vulnerabilities. Why couldn't it patch thegnutls
package vulnerability? I saw that the fixed versions (that copa couldn't patch) were FIPS packages. I want to know more about FIPS packages that Copa is failing to patch? Is there any concern about the vulnerabilities that has their fixed version as FIPS packages? Or are they false positives?Unfixed CVEs links:
Steps To Reproduce
ghcr.io/saptarshisarkar12/drifty-cli:master
docker image. Alternatively, you can also pull its base imageoraclelinux:9-slim
.trivy image --ignore-unfixed --format json --output drifty-cli.master.json ghcr.io/saptarshisarkar12/drifty-cli:master
to generate a report of fixed CVEs in JSON format.docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:v0.15.2
to startbuildkitd
daemon in detached mode.copa patch -i ghcr.io/saptarshisarkar12/drifty-gui:master -r drifty-gui.master.json -t master-patched --addr docker-container://buildkitd --ignore-errors
to patch the image.krb-5
).Are you willing to submit PRs to contribute to this bug fix?