containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[ECR] [request]: Exclude kernel-related CVEs from container scan results

Open kamzil opened this issue 1 year ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Already mentioned at https://github.com/aws/containers-roadmap/issues/798#issuecomment-623847952 but not yet resolved. Currently, the AWS Inspector container scan results display Linux kernel vulnerabilities, even though the container is running on top of the host kernel, which is not dependent on the container image. Therefore, these entries in the results are false positives, or something that we can't affect, and should be excluded to reduce noise.

Which service(s) is this request for? ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Problem is too much unnecessary noise in scan results. Goal is to reduce it.

Are you currently working around this issue? No

Additional context No

Attachments No

kamzil avatar Mar 08 '24 09:03 kamzil

For those here looking to prevent image kernel false positives while we await a fix, this worked:

AWS Inspector > Suppression Rules > Create
Suppression rule details > Suppression rule filters 
Resource type: AWS ECR Container Image
Package: name EQUALS linux

Inspector2 Suppression Rules do not yet exist in Terraform at this moment https://github.com/hashicorp/terraform-provider-aws/issues/34165

mikecook avatar Aug 19 '24 22:08 mikecook

Thank you for your inquiry about Amazon Inspector findings related to linux-libc-dev and similar kernel headers packages.

While these packages primarily contain development headers, they are not false positives in our vulnerability assessment. The packages do contain vulnerable code signatures that match CVE criteria, which is why they appear in your findings.

Amazon Inspector have visibility regarding vulnerability detection only, however, customer should evaluate how impactful a CVE affect their environment due to their specific setup and requirements. The actual risk depends on your specific implementation, usage patterns, and security posture.

We recommend Amazon Inspector customers perform the following:

  • Evaluating the specific CVEs against your usage context
  • Considering targeted updates where feasible
  • Documenting exceptions in your security policy if you determine no remediation is needed. Amazon Inspector findings can be suppressed using finding ARNs or blanket filtered out using package name.

Amazon Inspector accurately reports these vulnerabilities as part of our comprehensive security assessment. The final risk determination and remediation decisions remain with you as part of your security governance process.

awsactran avatar May 05 '25 17:05 awsactran

For those (like myself) that decide to suppress Linux kernel vulnerabilities, please note that the Terraform provider was recently updated with an inspector2_filter resource.

joey-squid avatar May 22 '25 22:05 joey-squid