Docker Scan reporting vulnerabilities #57

kevinkirkup · 2022-06-23T15:35:26Z

Docker Scan is reporting security vulnerabilities due to the version of alpine being deployed.

❯ docker scan weaveworks/prom-aggregation-gateway:master-c4415bbe

Testing weaveworks/prom-aggregation-gateway:master-c4415bbe...

✗ Low severity vulnerability found in openssl/libcrypto1.1
  Description: Inadequate Encryption Strength
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1075742
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1j-r0

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1051928
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1i-r0

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1075740
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1j-r0

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1089243
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1k-r0

✗ Medium severity vulnerability found in musl/musl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE310-MUSL-1042764
  Introduced through: musl/musl@1.1.22-r3, busybox/busybox@1.30.1-r3, alpine-baselayout/alpine-baselayout@3.1.2-r0, openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, zlib/zlib@1.2.11-r1, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0, busybox/ssl_client@1.30.1-r3, musl/musl-utils@1.1.22-r3, pax-utils/scanelf@1.2.3-r0, libc-dev/libc-utils@0.7.1-r0
  From: musl/musl@1.1.22-r3
  From: busybox/busybox@1.30.1-r3 > musl/musl@1.1.22-r3
  From: alpine-baselayout/alpine-baselayout@3.1.2-r0 > musl/musl@1.1.22-r3
  and 10 more...
  Fixed in: 1.1.22-r4

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1075741
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1j-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1089244
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1k-r0

✗ High severity vulnerability found in busybox/busybox
  Description: Improper Handling of Exceptional Conditions
  Info: https://snyk.io/vuln/SNYK-ALPINE310-BUSYBOX-1090151
  Introduced through: busybox/busybox@1.30.1-r3, alpine-baselayout/alpine-baselayout@3.1.2-r0, busybox/ssl_client@1.30.1-r3
  From: busybox/busybox@1.30.1-r3
  From: alpine-baselayout/alpine-baselayout@3.1.2-r0 > busybox/busybox@1.30.1-r3
  From: busybox/ssl_client@1.30.1-r3
  Fixed in: 1.30.1-r5

✗ High severity vulnerability found in apk-tools/apk-tools
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE310-APKTOOLS-1246341
  Introduced through: apk-tools/apk-tools@2.10.4-r2
  From: apk-tools/apk-tools@2.10.4-r2
  Fixed in: 2.10.6-r0

✗ Critical severity vulnerability found in apk-tools/apk-tools
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE310-APKTOOLS-1534688
  Introduced through: apk-tools/apk-tools@2.10.4-r2
  From: apk-tools/apk-tools@2.10.4-r2
  Fixed in: 2.10.7-r0

Updating the `alpine` base image version to resolve security issues identified by `docker scan`

kevinkirkup added a commit to kevinkirkup/prom-aggregation-gateway that referenced this issue Jun 23, 2022

Fixes weaveworks#57 Docker security vulnerabilities

b693049

Updating the `alpine` base image version to resolve security issues identified by `docker scan`

hxtpoe mentioned this issue Dec 21, 2022

Real User Monitoring (RUM) with Otel metrics open-telemetry/opentelemetry-js#3500

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker Scan reporting vulnerabilities #57

Docker Scan reporting vulnerabilities #57

kevinkirkup commented Jun 23, 2022

Docker Scan reporting vulnerabilities #57

Docker Scan reporting vulnerabilities #57

Comments

kevinkirkup commented Jun 23, 2022