Description
This should never happen. The scanners are reporting false positives (in part) due to stale dependencies.
This has been reported multiple times. I'm starting a new tracking issue. There are lots of scanners. I'm using Docker Scout because it is easy for me to use. Nice product!
.NET SDK 8.0.203 image:
There are a mixture of .NET SDK, PowerShell (due to .NET dependencies), and Debian CVEs.
.NET SDK 8.0.300-preview.24201.7 (from https://github.com/dotnet/installer?tab=readme-ov-file#table):
A number of the (false positive) .NET CVEs are resolved in 8.0.300, which should be released in May.
Outstanding issues:
- CVE-2023-29331
- System.Security.Cryptography.Pkcs 7.0.0
/usr/share/dotnet/sdk/8.0.300-preview.24201.7/DotnetTools/dotnet-watch/8.0.300-preview.24201.10/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json
- CVE-2024-0057
- NuGet.Packaging 6.7.0.127
/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/dependencies/NuGet.Packaging.dll/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/_manifest/spdx_2.2/manifest.spdx.json
- CVE-2024-0056
- System.Data.SqlClient 4.8.5
/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json
The remaining Debian issues are low severity and have a mix of fix available and not at the time of writing:
The CVE with a fix available should be resolved the next time we rebuild our Debian images.
Metadata
Metadata
Assignees
Type
Projects
Status
Tracking