GVM-Docker icon indicating copy to clipboard operation
GVM-Docker copied to clipboard

Published 20 hours ago verified publisher icon Secure-Compliance-Solutions-LLC

Trivy scan on this project image is showing critical vulnerabilities

Open austinsonger opened this issue 3 years ago • 4 comments

Discussed in https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker/discussions/240

Originally posted by MarcosSarzi-Neo July 26, 2021 I am executing some tests using this image from docker and I am getting some critical vulnerabilities from it, where should I ask for help?

localhost:gvm (alpine 3.14.0)
agent_1  | =============================
agent_1  | Total: 0 (HIGH: 0, CRITICAL: 0)
agent_1  | 
agent_1  | 
agent_1  | usr/share/texmf-dist/scripts/latex2nemeth/latex2nemeth-v1.0.2.jar (jar)
agent_1  | =======================================================================
agent_1  | Total: 2 (HIGH: 1, CRITICAL: 1)
agent_1  | 
agent_1  | +-----------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | |                 LIBRARY                                        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
agent_1  | +-----------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | | org.apache.commons:commons-collections4 | CVE-2015-7501    | CRITICAL |               4.0 |           4.1 |
agent_1  | +                                                                             +------------------+----------+                    +                +
agent_1  | |                                                                               | CVE-2015-6420    | HIGH       |                      |                 |
agent_1  | +-----------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | 
agent_1  | usr/share/texmf-dist/scripts/texplate/texplate.jar (jar)
agent_1  | ========================================================
agent_1  | Total: 1 (HIGH: 1, CRITICAL: 0)
agent_1  | 
agent_1  | +------------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | |                 LIBRARY                  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
agent_1  | +------------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | | org.apache.velocity:velocity-engine-core | CVE-2020-13936   | HIGH     |               2.2 |           2.3 |
agent_1  | +------------------------------------------+------------------+----------+-------------------+---------------+

austinsonger avatar Jul 27 '21 02:07 austinsonger

my one is showing the same.

MarcosSarzi-Neo avatar Jul 27 '21 06:07 MarcosSarzi-Neo

my one is showing the same.

this was your report in the discussion. ;)

https://git.alpinelinux.org/aports/tree/community/texmf-dist/APKBUILD there is the package and the author details.

You can open an Issue at https://gitlab.alpinelinux.org/alpine/aports/-/issues

I'm currently not on the correct system to do it, so if someone of you has time to doit feel free.

Dexus avatar Jul 27 '21 07:07 Dexus

I open the Issue: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12874

Dexus avatar Jul 27 '21 07:07 Dexus

texplate - will released in the next days to cpan.org, so we need to wait for the other distros to use the new version

Dexus avatar Jul 27 '21 12:07 Dexus