scout-cli
scout-cli copied to clipboard
Published
20 hours ago •
docker
docker
CVE is only detected when package is installed, not when it's built from source
Example CVE:
https://scout.docker.com/vulnerabilities/id/CVE-2023-41915?s=ubuntu&n=pmix&ns=ubuntu&t=deb&osn=ubuntu&osv=22.04&vr=%3E%3D0
Compare:
- Installing package
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y libpmix2
CVE is detected.
- Building from source
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y \
wget \
tar \
libevent-dev \
libhwloc-dev \
build-essential \
python3
ARG DOCKER_PMIX_VERSION=4.1.2
RUN wget https://github.com/openpmix/openpmix/releases/download/v${DOCKER_PMIX_VERSION}/pmix-${DOCKER_PMIX_VERSION}.tar.gz && \
tar -xzvf pmix-${DOCKER_PMIX_VERSION}.tar.gz && \
cd pmix-${DOCKER_PMIX_VERSION} && \
./configure --prefix=/usr/local && \
make && \
make install
RUN apt purge -y build-essential linux-libc-dev && apt autoremove -y
CVE is not detected
Is this expected?
