Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add clair vulnerability analysis scans #107

Open
neomantra opened this issue May 31, 2019 · 1 comment
Open

Add clair vulnerability analysis scans #107

neomantra opened this issue May 31, 2019 · 1 comment

Comments

@neomantra
Copy link
Member

  • Create tooling to use clair to scan our images for vulnerabilities.

  • Drive using Travis.

  • Run on a cron

  • Improve tooling to rebuild when vulnerabilties are found
@neomantra neomantra mentioned this issue May 31, 2019
Closed
@neomantra neomantra mentioned this issue Dec 2, 2021
Closed
@michaelheyman
Copy link

Per your request here, I'm going to describe how to get vulnerability scans results using a different tool.

Twistlock is a security scanning tool that is now part of Prisma Cloud. It is my understanding that this is a paid tool, with unknown free support.

Here is an example of a security vulnerability report

Pulled from this issue comment

+----------------+----------+------+---------+------------------+---------------------------+-----------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS | PACKAGE |     VERSION      |          STATUS           | PUBLISHED | DISCOVERED |                    DESCRIPTION                     |
+----------------+----------+------+---------+------------------+---------------------------+-----------+------------+----------------------------------------------------+
| CVE-2021-39537 | high     | 8.80 | ncurses | 6.2_p20210612-r0 | fixed in 6.3_p20211120-r0 | 73 days   | < 1 hour   | An issue was discovered in ncurses through v6.2-1. |
|                |          |      |         |                  | 73 days ago               |           |            | _nc_captoinfo in captoinfo.c has a heap-based      |
|                |          |      |         |                  |                           |           |            | buffer overflow.                                   |
+----------------+----------+------+---------+------------------+---------------------------+-----------+------------+----------------------------------------------------+
| CVE-2021-43618 | high     | 7.50 | gmp     | 6.2.1-r0         |                           | 17 days   | < 1 hour   | GNU Multiple Precision Arithmetic Library (GMP)    |
|                |          |      |         |                  |                           |           |            | through 6.2.1 has an mpz/inp_raw.c integer         |
|                |          |      |         |                  |                           |           |            | overflow and resultant buffer overflow via crafted |
|                |          |      |         |                  |                           |           |            | input, l...                                        |
+----------------+----------+------+---------+------------------+---------------------------+-----------+------------+----------------------------------------------------+

This is merely informational, and not a recommendation on security tooling.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neomantra @michaelheyman