scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard

Published 20 hours ago verified publisher icon docker

Docker scout false positive on [email protected]

Open alexsuter opened this issue 1 year ago • 2 comments
trafficstars

Description

Docker scout treats [email protected] as vulnerable and reports that 4.0 has fixed the issue. But the CVE fix has been backported to 3.6.10 which is described in the CVE report in docker scout itself:

https://scout.docker.com/vulnerabilities/id/CVE-2016-2141/org/axonivy

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors. Fixes for this issue have been backported to versions 3.6.10.Final and 3.2.16.Final.

Reproduce

Add jgroups 3.6.20 to the image and analyze it with docker scout.

Expected behavior

jgroups 3.6.20 should not be reported as vulnerable

docker version

not important

docker info

not important

Additional Info

No response

alexsuter avatar Dec 27 '23 18:12 alexsuter

I think it's because gitlab has the wrong versions ranges, where as github has the correct ones?

image

alexsuter avatar Dec 28 '23 06:12 alexsuter

Thanks for reporting; looks like this is related to Scout, which is currently closed source, and not maintained in this repository. Issues related to scout are best reported in https://github.com/docker/scout-cli.

I'll transfer this ticket to that issue tracker 👍

thaJeztah avatar Jan 03 '24 08:01 thaJeztah