search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.71k stars 496 forks source link

Missing docker image for 1.19.1 #1674

Open parse opened 6 months ago

parse commented 6 months ago

Description

The latest tag published at https://hub.docker.com/r/tenable/terrascan/tags is 1.18.11. It looks like the latest release published was 1.19.1. Can you publish this one as a Docker image as well?

Thanks

nvuillam commented 5 months ago

Same here, MegaLinter is using tenable:terrascan docker image, and 1.18.11 contains CVEs

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817  │ CRITICAL │ fixed  │ v1.7.0            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                │          │        │                   │               │ injection ...                                                │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit       │ CVE-2024-23652 │          │        │ v0.8.3            │ 0.12.5        │ moby/buildkit: possible host system access from mount stub   │
│                                │                │          │        │                   │               │ cleaner                                                      │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23652                   │
│                                ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23653 │          │        │                   │               │ moby/buildkit: Buildkit's interactive containers API does    │
│                                │                │          │        │                   │               │ not validate entitlements check                              │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23653                   │
│                                ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23651 │ HIGH     │        │                   │               │ moby/buildkit: possible race condition with accessing        │
│                                │                │          │        │                   │               │ subpaths from cache mounts                                   │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23651                   │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3                │ CVE-2024-26147 │          │        │ v3.6.1            │ 3.14.2        │ helm: Missing YAML Content Leads To Panic                    │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26147                   │
└─────────────────────
nvuillam commented 5 months ago

@nmoretenable please could we have an ETA for the published docker image ? :)

choweiyuan commented 3 months ago

@nmoretenable Any updates on this? As mentioned by nvuillam it would be beneficial to address this as version 1.18.11 includes a CVE.

nmoretenable commented 2 weeks ago

We have published terrascan v1.19.9. Please check.