containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[ECR] [request]: Support whitelisting certain CVE findings

Open delafuentejc opened this issue 4 years ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request We would like to be able to whitelist some vulnerabilities when doing an ECR scanning

Which service(s) is this request for? ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We have a Docker image in an ECR repository. Scanning the image reports one vulnerability about a library we're using. According to the library documentation, the vulnerability is fixed in the version of the library we're using and it could be a false positive. We're thinking about several actions to follow. One of them is whitelisting this specific vulnerability, but it's not possible with AWS ECR scanning.

Are you currently working around this issue? We're using another Linux base image, but the new generated image is bigger than the original one, about 3 times bigger.

delafuentejc avatar Dec 15 '20 09:12 delafuentejc

Examples of this functionality in other tools can be seen in the below links: Clair Snyk Aquasec Docker We have worked around this by ignoring specific CVEs in scan results, and reporting to another tool.

willejs avatar Jun 01 '21 09:06 willejs

I'd like to add that this is a showstopper for ECR vuln scanning adoption. There are just times the CVEs aren't relevant (vuln kern package in an ubuntu docker container) and if we're going to break builds for CVEs, we need to be able to account for that.

cmeisinger avatar Jul 02 '21 20:07 cmeisinger

This feature is already supported in ECR Enhanced Scanning/Amazon Inspector. See doc link here.

hou-yimin avatar Feb 24 '23 02:02 hou-yimin

This feature is already supported in ECR Enhanced Scanning/Amazon Inspector. See doc link here.

This is interesting because we're currently getting scan results from images in ECR without having even activated Inspector. So, how is this working? We've configured image repos in ECR to scan, and are using ournova/aws-ecr-image-scan in our pipeline to obtain the results and fail on >= HIGH vulnerabilities.

To activate another paid-for AWS product to prevent non-applicable CVES failing the build doesn't feel like the right answer here.

ndtreviv avatar Jun 07 '24 13:06 ndtreviv