request: vulnearbility fix #1
Comments
|
It should be possible to avoid it bumping in the config |
|
Dear Paolo, Many thanks for your suggestion and rapid response. I have been able to rebuild the container with the version that you indicated and can confirm that the specific CVEs above have been cleared by this. However, the report indicates that the org.json/json 20230227 package is vulnerable as per: This is the same vulnerability that I have reported in nf-schema here I belive that the same fix will apply to these and other NextFlow plugins that use the org.json/json 20230227 package. I hope this information proves useful. |
|
Tagging @arnaualcazar for visibility |
|
I am happy to share my dockerfile and/or scan report outputs if this will help |
|
Sure, that's welcome |
|
no problem here is the Dockerfile: and here are the docker scout reports: docker scout cves local://nextflow:update
i New version 1.9.3 available (installed version is 1.8.0) at https://github.com/docker/scout-cli
✓ SBOM of image already cached, 501 packages indexed
✗ Detected 17 vulnerable packages with a total of 23 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼──────────────────────────────
Target │ local://nextflow:update
digest │ f31a0bff97a4
platform │ linux/amd64
vulnerabilities │ 0C 2H 5M 16L
size │ 394 MB
packages │ 501
## Packages and Vulnerabilities
0C 1H 0M 0L software.amazon.ion/ion-java 1.0.2
pkg:maven/software.amazon.ion/[email protected]
✗ HIGH CVE-2024-21634 [Allocation of Resources Without Limits or Throttling]
https://scout.docker.com/v/CVE-2024-21634
Affected range : <1.10.5
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 1H 0M 0L org.json/json 20230227
pkg:maven/org.json/json@20230227
✗ HIGH CVE-2023-5072 [Improperly Implemented Security Check for Standard]
https://scout.docker.com/v/CVE-2023-5072
Affected range : <=20230618
Fixed version : 20231013
0C 0H 1M 2L krb5 1.20.1-6ubuntu2
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2024-26462
https://scout.docker.com/v/CVE-2024-26462
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-26461
https://scout.docker.com/v/CVE-2024-26461
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-26458
https://scout.docker.com/v/CVE-2024-26458
Affected range : >=0
Fixed version : not fixed
0C 0H 1M 0L xz-utils 5.6.1+really5.4.5-1
pkg:deb/ubuntu/[email protected]%2Breally5.4.5-1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2020-22916
https://scout.docker.com/v/CVE-2020-22916
Affected range : >=0
Fixed version : not fixed
CVSS Score : 5.5
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 1M 0L jline/jline 2.9
pkg:maven/jline/[email protected]
✗ MEDIUM CVE-2013-2035 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2013-2035
Affected range : <=2.10
Fixed version : 2.11
CVSS Score : 4.4
CVSS Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P
0C 0H 1M 0L libgcrypt20 1.10.3-2build1
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2024-2236
https://scout.docker.com/v/CVE-2024-2236
Affected range : >=0
Fixed version : not fixed
0C 0H 1M 0L pixman 0.42.2-1build1
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2023-37769
https://scout.docker.com/v/CVE-2023-37769
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 0M 3L cairo 1.18.0-3build1
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2019-6461
https://scout.docker.com/v/CVE-2019-6461
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
✗ LOW CVE-2018-18064
https://scout.docker.com/v/CVE-2018-18064
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
✗ LOW CVE-2017-7475
https://scout.docker.com/v/CVE-2017-7475
Affected range : >=0
Fixed version : not fixed
CVSS Score : 5.5
CVSS Vector : CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 0M 3L openssl 3.0.13-0ubuntu3.1
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2024-4741
https://scout.docker.com/v/CVE-2024-4741
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-4603
https://scout.docker.com/v/CVE-2024-4603
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-2511
https://scout.docker.com/v/CVE-2024-2511
Affected range : >=0
Fixed version : not fixed
0C 0H 0M 1L coreutils 9.4-3ubuntu6
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2016-2781
https://scout.docker.com/v/CVE-2016-2781
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
0C 0H 0M 1L gnupg2 2.4.4-2ubuntu17
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2022-3219
https://scout.docker.com/v/CVE-2022-3219
Affected range : >=0
Fixed version : not fixed
CVSS Score : 3.3
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
0C 0H 0M 1L dbus 1.14.10-4ubuntu4
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2023-34969
https://scout.docker.com/v/CVE-2023-34969
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0C 0H 0M 1L harfbuzz 8.3.0-2build2
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2023-25193
https://scout.docker.com/v/CVE-2023-25193
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 0H 0M 1L libpng1.6 1.6.43-5build1
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2022-3857
https://scout.docker.com/v/CVE-2022-3857
Affected range : >=0
Fixed version : not fixed
CVSS Score : 5.5
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 0M 1L giflib 5.2.2-1ubuntu1
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2023-48161
https://scout.docker.com/v/CVE-2023-48161
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.1
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
0C 0H 0M 1L glibc 2.39-0ubuntu8.2
pkg:deb/ubuntu/[email protected]?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2016-20013
https://scout.docker.com/v/CVE-2016-20013
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 0H 0M 1L tiff 4.5.1+git230720-4ubuntu2.1
pkg:deb/ubuntu/[email protected]%2Bgit230720-4ubuntu2.1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2018-10126
https://scout.docker.com/v/CVE-2018-10126
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
23 vulnerabilities found in 17 packages
LOW 16
MEDIUM 5
HIGH 2
CRITICAL 0I hope this information proves helpful |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Following the inclusion of your plugin within a NextFlow (24.04.2) container that I am building, a scan of the container detected an issue with the following packages:
The associated CVE for io.netty is outlined here has been reported to be patched in v4.1.100.Final.
And for ion-java the CVE is here, from the report the current patch may not apply to this vulnerability but it will be worth keeping an eye on/
The vulnerability was reported by Docker Scout v1.8.0.
Would it be possible to apply the relevant patch for this vulnerability in nf-amazon?
Many thanks for your assistance with this.
The text was updated successfully, but these errors were encountered: