CVE is only detected when package is installed, not when it's built from source

[gergelyfabian]

Example CVE:

https://scout.docker.com/vulnerabilities/id/CVE-2023-41915?s=ubuntu&n=pmix&ns=ubuntu&t=deb&osn=ubuntu&osv=22.04&vr=%3E%3D0

Compare:

1. Installing package

FROM ubuntu:22.04

RUN apt-get update && apt-get install -y libpmix2

CVE is detected.

2. Building from source

FROM ubuntu:22.04

RUN apt-get update && apt-get install -y \
    wget \
    tar \
    libevent-dev \
    libhwloc-dev \
    build-essential \
    python3

ARG DOCKER_PMIX_VERSION=4.1.2
RUN wget https://github.com/openpmix/openpmix/releases/download/v${DOCKER_PMIX_VERSION}/pmix-${DOCKER_PMIX_VERSION}.tar.gz && \
    tar -xzvf pmix-${DOCKER_PMIX_VERSION}.tar.gz && \
    cd pmix-${DOCKER_PMIX_VERSION} && \
    ./configure --prefix=/usr/local && \
    make && \
    make install

RUN apt purge -y build-essential linux-libc-dev && apt autoremove -y

CVE is not detected

Is this expected?

[xnox]

unlike structured packaging languages (python wheels, rust cargo crates and cargo auditable, npm modules, go binaries with go buildinfo) there isn't anything like this for c/c++.

however you are in control to add such metadata by hand, by using ELF build notes metadata, or by creating a virtual package and marking it as installed.

Most packaging systems have it for:

• alpine apk-tools see add virtual
• debian/ubuntu see https://packages.debian.org/buster/equivs

and so on.