Kreya
Kreya copied to clipboard
riok
Docker image critical vulnerability
Describe the bug
Our AWS ECR scan showed that Kreya image has a critical vulnerability related to zlib package. No new packages were added to the original Kreya image on our side. Could you please look into that and update your base image to fix this? Thanks in advance.
To Reproduce
I wasn't able to get the same output as ECR by using docker scout, however it still displays at least one high vulnerability on the latest image.
Run docker scout cves riok/kreyac:latest to see.
Expected behavior The image has no critical vulnerabilities.
Screenshots
Environment (if possible, copy the information from the error dialog or the About menu):
- Kreya image tags with critical vulnerabilities:
latest,beta,alpha.
Apparently, the CRITICAL CVE for zlib:1:1.2.13.dfsg-1 is a false positive: https://github.com/madler/zlib/pull/843#issuecomment-2050417533.
As for the Dockerfile, we aren't doing much in there. We depend on mcr.microsoft.com/dotnet/runtime-deps:8.0 (since Kreya is programmed in .NET) and basically just copy the compiled kreyac file into the image.
This means we have to wait until either the CVE is flagged as false positive or our base image resolves the CVEs.
@CommonGuy I see, thanks a lot for the information, that's good to know. It's definitely not a big deal for us, but just wanted to raise awareness.
@CommonGuy unfortunately that false positive might be around for a year or more, I put a writeup about it here https://github.com/madler/zlib/pull/843#issuecomment-2130408505
