CBL-Mariner2.0 reporting security vulnerability [CVE-2024-45490] #5957
Replies: 1 comment 2 replies
-
|
@Kalpana1596, which image layer are you running the Component-detection uses anchore/syft for checking components of container images. To validate your fixes locally, build your image and then test it yourself by running: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/syft scan $YOUR_TAG |
Beta Was this translation helpful? Give feedback.
-
|
My understanding is that component detection is scanning all layers so while an upgrade does solve the issue of having a vulnerable version in your running container, it doesn't solve the issue of the scanner detecting the vulnerable version. |
Beta Was this translation helpful? Give feedback.
-
|
It seems you might be right - I found this issue: Component detection detects vulnerabilities in all docker image layers even if they've been patched by a new layer (microsoft/component-detection#721) |
Beta Was this translation helpful? Give feedback.
-
We've encountered an issue with Component Governance in our project, specifically with the Mariner 2.0 image. The governance tool flagged several packages as vulnerable, and despite upgrading them to the recommended versions, our pipeline continues to report the presence of these vulnerable packages.
Affected Packages and Versions:
expat: Upgraded from 2.6.2-2.cm2 to 2.6.3-1.cm2
curl: Upgraded from 8.8.0-1.cm2 to 8.8.0-2.cm2
Attempted Resolution: We explicitly upgraded the mentioned packages to the versions recommended by the Component Governance tool to address the vulnerabilities.
Further Steps: Following a suggestion from the Component Governance Team, we utilized the https://github.com/microsoft/component-detection/tree/main tool to scan our project. The scan results showed both the old and new versions of the packages, which is puzzling.
How can we remove any dependencies on the vulnerable packages through docker directives?
Beta Was this translation helpful? Give feedback.
All reactions