Why I'm not able to fix a vulnerability in debian based container
juanbrein opened this issue · comments
Juan Paulo Breinlinger commented
Description of Problem / Feature Request
The Dockerfile is based on jenkins/jenkins:2.346.2-lts-jdk11
3 Vulnerabilities found, and their fixes were applied:
# Fix https://security-tracker.debian.org/tracker/CVE-2022-2068
RUN apt update -y && apt install -y openssl libssl1.1:amd64
# Fix https://security-tracker.debian.org/tracker/CVE-2019-8457
RUN dpkg -i /usr/src/libdb5.3_5.3.28+dfsg1-0.10_amd64.deb
# Fix https://security-tracker.debian.org/tracker/CVE-2022-24765
RUN dpkg -i /usr/src/git_2.36.1-1_amd64.deb /usr/src/git-man_2.36.1-1_all.deb
The first one got fixed, but the last 2 still show even after installing the fixed versions.
Just for reference the last two packages where built and COPY from another image into this one.
This is happening on ECR
Expected Outcome
No vulnerabilities found after installing the new packages
Actual Outcome
2 vulnerabilities (HIGH) still found
Environment
AWS ECR
Juan Paulo Breinlinger commented
Hank Donnay commented
This is not the ECR bug tracker, you should file issues with them.
Clair would flag the packages vulnerable because the Debian data says that every published version is vulnerable.