Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance CVE scanning #3846

Open
Haarolean opened this issue May 19, 2023 · 0 comments
Open

Enhance CVE scanning #3846

Haarolean opened this issue May 19, 2023 · 0 comments
Labels
scope/infrastructure CI / Dev. Env status/accepted An issue which has passed triage and has been accepted type/security Pull requests that address a security vulnerability

Comments

@Haarolean
Copy link
Contributor

Haarolean commented May 19, 2023
edited
Loading

#1661

Consider checking grype, it has reported a lot of more CVEs, need to check if it's bs or not.
BS: anchore/grype#1009

% ./grype provectuslabs/kafka-ui:master
 ✔ Vulnerability DB        [updated]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [229 packages]
 ✔ Scanning image...       [28 vulnerabilities]
   ├── 4 critical, 10 high, 14 medium, 0 low, 0 negligible
   └── 0 fixed
NAME                INSTALLED  FIXED-IN  TYPE          VULNERABILITY   SEVERITY
libcrypto1.1        1.1.1t-r3            apk           CVE-2023-0466   Medium
libssl1.1           1.1.1t-r3            apk           CVE-2023-0466   Medium
reactor-netty-core  1.1.6                java-archive  CVE-2014-3488   Medium
reactor-netty-core  1.1.6                java-archive  CVE-2015-2156   High
reactor-netty-core  1.1.6                java-archive  CVE-2019-16869  High
reactor-netty-core  1.1.6                java-archive  CVE-2019-20444  Critical
reactor-netty-core  1.1.6                java-archive  CVE-2019-20445  Critical
reactor-netty-core  1.1.6                java-archive  CVE-2021-21290  Medium
reactor-netty-core  1.1.6                java-archive  CVE-2021-21295  Medium
reactor-netty-core  1.1.6                java-archive  CVE-2021-21409  Medium
reactor-netty-core  1.1.6                java-archive  CVE-2021-37136  High
reactor-netty-core  1.1.6                java-archive  CVE-2021-37137  High
reactor-netty-core  1.1.6                java-archive  CVE-2021-43797  Medium
reactor-netty-core  1.1.6                java-archive  CVE-2022-24823  Medium
reactor-netty-core  1.1.6                java-archive  CVE-2022-41881  High
reactor-netty-http  1.1.6                java-archive  CVE-2014-3488   Medium
reactor-netty-http  1.1.6                java-archive  CVE-2015-2156   High
reactor-netty-http  1.1.6                java-archive  CVE-2019-16869  High
reactor-netty-http  1.1.6                java-archive  CVE-2019-20444  Critical
reactor-netty-http  1.1.6                java-archive  CVE-2019-20445  Critical
reactor-netty-http  1.1.6                java-archive  CVE-2021-21290  Medium
reactor-netty-http  1.1.6                java-archive  CVE-2021-21295  Medium
reactor-netty-http  1.1.6                java-archive  CVE-2021-21409  Medium
reactor-netty-http  1.1.6                java-archive  CVE-2021-37136  High
reactor-netty-http  1.1.6                java-archive  CVE-2021-37137  High
reactor-netty-http  1.1.6                java-archive  CVE-2021-43797  Medium
reactor-netty-http  1.1.6                java-archive  CVE-2022-24823  Medium
reactor-netty-http  1.1.6                java-archive  CVE-2022-41881  High
@Haarolean Haarolean added type/security Pull requests that address a security vulnerability status/accepted An issue which has passed triage and has been accepted scope/infrastructure CI / Dev. Env labels May 19, 2023
@Haarolean Haarolean self-assigned this May 19, 2023
@Haarolean Haarolean removed their assignment May 19, 2023
@github-actions github-actions bot added the status/triage Issues pending maintainers triage label May 19, 2023
@Haarolean Haarolean removed the status/triage Issues pending maintainers triage label May 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scope/infrastructure CI / Dev. Env status/accepted An issue which has passed triage and has been accepted type/security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Haarolean