Open parse opened 6 months ago
Same here, MegaLinter is using tenable:terrascan docker image, and 1.18.11 contains CVEs
┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817 │ CRITICAL │ fixed │ v1.7.0 │ 1.7.4 │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│ │ │ │ │ │ │ injection ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3817 │
├────────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit │ CVE-2024-23652 │ │ │ v0.8.3 │ 0.12.5 │ moby/buildkit: possible host system access from mount stub │
│ │ │ │ │ │ │ cleaner │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23652 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-23653 │ │ │ │ │ moby/buildkit: Buildkit's interactive containers API does │
│ │ │ │ │ │ │ not validate entitlements check │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23653 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-23651 │ HIGH │ │ │ │ moby/buildkit: possible race condition with accessing │
│ │ │ │ │ │ │ subpaths from cache mounts │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-23651 │
├────────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3 │ CVE-2024-26147 │ │ │ v3.6.1 │ 3.14.2 │ helm: Missing YAML Content Leads To Panic │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-26147 │
└─────────────────────
@nmoretenable please could we have an ETA for the published docker image ? :)
@nmoretenable Any updates on this? As mentioned by nvuillam it would be beneficial to address this as version 1.18.11 includes a CVE.
We have published terrascan v1.19.9. Please check.
Description
The latest tag published at https://hub.docker.com/r/tenable/terrascan/tags is 1.18.11. It looks like the latest release published was 1.19.1. Can you publish this one as a Docker image as well?
Thanks