Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive vulnerabilities reported #11097

Open
kropiwnickij opened this issue Nov 15, 2024 · 2 comments
Open

False positive vulnerabilities reported #11097

kropiwnickij opened this issue Nov 15, 2024 · 2 comments
Labels
question Further information is requested

Comments

@kropiwnickij
Copy link

Dear Team,

After detailed investigation for Docker container vulnerabilities reported under microsoft/openjdk-docker#113 - it appears that ones with severity critical and high were actually detected towards krb5 package, and in fact are resolved.

When we look at discovered CVE https://nvd.nist.gov/vuln/detail/cve-2024-37371 - NVD provides solution with higher version as mentioned "In MIT Kerberos 5 (aka krb5) before 1.21.3".

When we check details this specific CVE have been already resolved in patches mentioned by @d3r3kk in microsoft/openjdk-docker#113 (comment).

The challenge is security scanners compare package version from NVD:

Known Affected Software Configurations
Up to (excluding)
1.21.3

to system level package version hence still this CVE is discovered because Mariner used "patched release", not version, to resolve issue:

Version : 1.19.4
Release : 3.cm2

Is this approach of having custom release versions of system package a standard approach for Mariner, or we can expect soon Mariner to have krb5 version bumped to be aligned with official one, which has this CVE resolved.

We are trying to understand how to investigate container security reports without custom rules for Mariner based images, per each CVE that is fixed but cannot be automatically discovered.

Regards
Jan

@kropiwnickij kropiwnickij added the question Further information is requested label Nov 15, 2024
@kropiwnickij
Copy link
Author

Any update on this please?

@jperrin
Copy link
Contributor

jperrin commented Dec 14, 2024

We're working with scanning vendors to get this false positive corrected. You're right in that it's patched already, but it may take some time for the tooling to resolve correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants