scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard

Published 20 hours ago verified publisher icon docker

Docker scout has false positive on Ubuntu python packages

Open betelgeuse opened this issue 9 months ago • 0 comments

Given Dockerfile

FROM ubuntu:22.04

RUN apt-get update && apt-get install -y python3-cryptography

When I run

../.docker/scout/docker-scout  cves --only-cve-id CVE-2023-50782 --locations  scout-testing:latest

I get in the output:

## Packages and Vulnerabilities

   0C     1H     0M     0L  cryptography 3.4.8
pkg:pypi/[email protected]

6: sha256:02345afc3af08ee5903273fe8ee825ce2611e764e3f31016f03eaaa6be7934bc
/usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO (evident by)
/usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/top_level.txt (evident by)

    ✗ HIGH CVE-2023-50782 [Observable Discrepancy]
      https://scout.docker.com/v/CVE-2023-50782?s=github&n=cryptography&t=pypi&vr=%3C42.0.0
      Affected range : <42.0.0                                                          
      Fixed version  : 42.0.0                                                           
      CVSS Score     : 8.7                                                              
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N  
    


1 vulnerability found in 1 package
  CRITICAL  0  
  HIGH      1  
  MEDIUM    0  
  LOW       0

Suggested fix: docker scout should map the egg-info directories to apt packages. If they have been installed via apt, they should not be detected as pypi installed packages.

betelgeuse avatar Feb 04 '25 06:02 betelgeuse