Skip to content

Docker Scan reporting vulnerabilities #57

Open
Open
Docker Scan reporting vulnerabilities#57
@kevinkirkup

Description

@kevinkirkup
kevinkirkup
opened on Jun 23, 2022

Docker Scan is reporting security vulnerabilities due to the version of alpine being deployed.

❯ docker scan weaveworks/prom-aggregation-gateway:master-c4415bbe

Testing weaveworks/prom-aggregation-gateway:master-c4415bbe...

✗ Low severity vulnerability found in openssl/libcrypto1.1
  Description: Inadequate Encryption Strength
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1075742
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1j-r0

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1051928
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1i-r0

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1075740
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1j-r0

✗ Medium severity vulnerability found in openssl/libcrypto1.1
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1089243
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1k-r0

✗ Medium severity vulnerability found in musl/musl
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-ALPINE310-MUSL-1042764
  Introduced through: musl/musl@1.1.22-r3, busybox/busybox@1.30.1-r3, alpine-baselayout/alpine-baselayout@3.1.2-r0, openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, zlib/zlib@1.2.11-r1, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0, busybox/ssl_client@1.30.1-r3, musl/musl-utils@1.1.22-r3, pax-utils/scanelf@1.2.3-r0, libc-dev/libc-utils@0.7.1-r0
  From: musl/musl@1.1.22-r3
  From: busybox/busybox@1.30.1-r3 > musl/musl@1.1.22-r3
  From: alpine-baselayout/alpine-baselayout@3.1.2-r0 > musl/musl@1.1.22-r3
  and 10 more...
  Fixed in: 1.1.22-r4

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1075741
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1j-r0

✗ High severity vulnerability found in openssl/libcrypto1.1
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-ALPINE310-OPENSSL-1089244
  Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.4-r2, libtls-standalone/libtls-standalone@2.9.1-r0
  From: openssl/libcrypto1.1@1.1.1g-r0
  From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
  From: apk-tools/apk-tools@2.10.4-r2 > openssl/libcrypto1.1@1.1.1g-r0
  and 4 more...
  Fixed in: 1.1.1k-r0

✗ High severity vulnerability found in busybox/busybox
  Description: Improper Handling of Exceptional Conditions
  Info: https://snyk.io/vuln/SNYK-ALPINE310-BUSYBOX-1090151
  Introduced through: busybox/busybox@1.30.1-r3, alpine-baselayout/alpine-baselayout@3.1.2-r0, busybox/ssl_client@1.30.1-r3
  From: busybox/busybox@1.30.1-r3
  From: alpine-baselayout/alpine-baselayout@3.1.2-r0 > busybox/busybox@1.30.1-r3
  From: busybox/ssl_client@1.30.1-r3
  Fixed in: 1.30.1-r5

✗ High severity vulnerability found in apk-tools/apk-tools
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE310-APKTOOLS-1246341
  Introduced through: apk-tools/apk-tools@2.10.4-r2
  From: apk-tools/apk-tools@2.10.4-r2
  Fixed in: 2.10.6-r0

✗ Critical severity vulnerability found in apk-tools/apk-tools
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-ALPINE310-APKTOOLS-1534688
  Introduced through: apk-tools/apk-tools@2.10.4-r2
  From: apk-tools/apk-tools@2.10.4-r2
  Fixed in: 2.10.7-r0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions