quay / clair

Vulnerability Static Analysis for Containers

Home Page:https://quay.github.io/clair/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Why I'm not able to fix a vulnerability in debian based container

juanbrein opened this issue · comments

Description of Problem / Feature Request

The Dockerfile is based on jenkins/jenkins:2.346.2-lts-jdk11

3 Vulnerabilities found, and their fixes were applied:

# Fix https://security-tracker.debian.org/tracker/CVE-2022-2068
RUN apt update -y && apt install -y openssl libssl1.1:amd64

# Fix https://security-tracker.debian.org/tracker/CVE-2019-8457
RUN dpkg -i /usr/src/libdb5.3_5.3.28+dfsg1-0.10_amd64.deb

# Fix https://security-tracker.debian.org/tracker/CVE-2022-24765
RUN dpkg -i /usr/src/git_2.36.1-1_amd64.deb  /usr/src/git-man_2.36.1-1_all.deb

The first one got fixed, but the last 2 still show even after installing the fixed versions.

Just for reference the last two packages where built and COPY from another image into this one.

This is happening on ECR

Expected Outcome

No vulnerabilities found after installing the new packages

Actual Outcome

2 vulnerabilities (HIGH) still found

Environment

AWS ECR

This is not the ECR bug tracker, you should file issues with them.

Clair would flag the packages vulnerable because the Debian data says that every published version is vulnerable.