False positive vulnerabilities reported #11097
Labels
question
Further information is requested
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear Team,
After detailed investigation for Docker container vulnerabilities reported under microsoft/openjdk-docker#113 - it appears that ones with severity critical and high were actually detected towards krb5 package, and in fact are resolved.
When we look at discovered CVE https://nvd.nist.gov/vuln/detail/cve-2024-37371 - NVD provides solution with higher version as mentioned "In MIT Kerberos 5 (aka krb5) before 1.21.3".
When we check details this specific CVE have been already resolved in patches mentioned by @d3r3kk in microsoft/openjdk-docker#113 (comment).
The challenge is security scanners compare package version from NVD:
Known Affected Software Configurations
Up to (excluding)
1.21.3
to system level package version hence still this CVE is discovered because Mariner used "patched release", not version, to resolve issue:
Version : 1.19.4
Release : 3.cm2
Is this approach of having custom release versions of system package a standard approach for Mariner, or we can expect soon Mariner to have krb5 version bumped to be aligned with official one, which has this CVE resolved.
We are trying to understand how to investigate container security reports without custom rules for Mariner based images, per each CVE that is fixed but cannot be automatically discovered.
Regards
Jan
The text was updated successfully, but these errors were encountered: