You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PPA has containerd, runc and docker.io and all are up to date and patched... but when scanning the attached manifest cvescan flags the packages as being vulnerable to CVE-2020-15157
$ cvescan -p all --manifest=ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt | grep "docker\.io\|containerd"
CVE-2020-15157 medium docker.io 19.03.6-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2020-15257 medium containerd 1.3.3-0ubuntu1~18.04.4 Ubuntu Archive
I can confirm that the versions installed are not vulnerable to CVE-2020-15157.
sudo apt install apt-listchanges
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb
apt-listchanges --verbose --frontend text --all ./docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb > docker.io.changelog
apt-listchanges --verbose --frontend text --all ./containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb > containerd.changelog
less docker.io.changelog
less containerd.changelog
In the changelog you can see that patches have been applied for CVE-2020-15157.
Is there any way to add support for cvescan to support being able to mark certain package versions from a PPA as being no longer vulnerable to a specific CVE eg. appending to the database used when scanning?
The PPAs GKE and their customers use are all public.
Hi,
Firstly, thank you for your work :)
I work on the Canonical Public Cloud team and our partner GKE and their customers are starting to use cvescan to scan for vulnerabilities.
The GKE images we provide to GKE have certain packages installed from a PPA eg. https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s
This PPA has containerd, runc and docker.io and all are up to date and patched... but when scanning the attached manifest cvescan flags the packages as being vulnerable to CVE-2020-15157
I can confirm that the versions installed are not vulnerable to CVE-2020-15157.
In the changelog you can see that patches have been applied for CVE-2020-15157.
Is there any way to add support for cvescan to support being able to mark certain package versions from a PPA as being no longer vulnerable to a specific CVE eg. appending to the database used when scanning?
The PPAs GKE and their customers use are all public.
ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt
The text was updated successfully, but these errors were encountered: