Why I'm not able to fix a vulnerability in debian based container

Question

Why I'm not able to fix a vulnerability in debian based container

juanbrein opened this issue 2 years ago · comments

Juan Paulo Breinlinger commented 2 years ago

Description of Problem / Feature Request

The Dockerfile is based on jenkins/jenkins:2.346.2-lts-jdk11

3 Vulnerabilities found, and their fixes were applied:

# Fix https://security-tracker.debian.org/tracker/CVE-2022-2068
RUN apt update -y && apt install -y openssl libssl1.1:amd64

# Fix https://security-tracker.debian.org/tracker/CVE-2019-8457
RUN dpkg -i /usr/src/libdb5.3_5.3.28+dfsg1-0.10_amd64.deb

# Fix https://security-tracker.debian.org/tracker/CVE-2022-24765
RUN dpkg -i /usr/src/git_2.36.1-1_amd64.deb  /usr/src/git-man_2.36.1-1_all.deb

The first one got fixed, but the last 2 still show even after installing the fixed versions.

Just for reference the last two packages where built and COPY from another image into this one.

This is happening on ECR

Expected Outcome

No vulnerabilities found after installing the new packages

Actual Outcome

2 vulnerabilities (HIGH) still found

Environment

AWS ECR

Juan Paulo Breinlinger · Answer 1 · Thu Jul 21 2022 00:05:31 GMT+0800 (China Standard Time)

Juan Paulo Breinlinger commented 2 years ago

Hank Donnay · Answer 2 · Thu Jul 21 2022 00:24:19 GMT+0800 (China Standard Time)

This is not the ECR bug tracker, you should file issues with them.

Clair would flag the packages vulnerable because the Debian data says that every published version is vulnerable.