Docker Scout Version: 1.19.0
Dockerfile for image scanned:
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as runtime
# Install dotnet runtime
RUN microdnf install -y --setopt=tsflags=nodocs "aspnetcore-runtime-8.0"
This pulls down the latest dotnet release - https://github.com/dotnet/core/blob/main/release-notes/8.0/README.md
[root@c641bf7f359d /]# dotnet info
The command could not be loaded, possibly because:
* You intended to execute a .NET application:
The application 'info' does not exist.
* You intended to execute a .NET SDK command:
No .NET SDKs were found.
Download a .NET SDK:
https://aka.ms/dotnet/download
Learn about SDK resolution:
https://aka.ms/dotnet/sdk-not-found
[root@c641bf7f359d /]# dotnet --info
Host:
Version: 8.0.23
Architecture: x64
Commit: c96cd11cb2
RID: rhel.8-x64
.NET SDKs installed:
No SDKs were found.
.NET runtimes installed:
Microsoft.AspNetCore.App 8.0.23 [/usr/lib64/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 8.0.23 [/usr/lib64/dotnet/shared/Microsoft.NETCore.App]
Other architectures found:
None
Environment variables:
DOTNET_ROOT [/usr/lib64/dotnet]
global.json file:
Not found
Learn more:
https://aka.ms/dotnet/info
Download .NET:
https://aka.ms/dotnet/download
[root@c641bf7f359d /]# rpm -qa | grep dotnet
dotnet-host-10.0.2-1.el8_10.x86_64
dotnet-hostfxr-8.0-8.0.23-1.el8_10.x86_64
dotnet-runtime-8.0-8.0.23-1.el8_10.x86_64
However Docker Scout flags CVEs going as far back as 2024 linking them to the dotnet rpm package / runtime
cat test.json | grep CVE-2024-43484
"id": "CVE-2024-43484",
"text": "CVE-2024-43484: "
"helpUri": "https://scout.docker.com/v/CVE-2024-43484?s=redhat&n=dotnet8.0&ns=redhat&t=rpm&osn=redhatlinux&osv=8&vr=%3C8.0.110-1.el8_10",
"ruleId": "CVE-2024-43484",
"text": "Vulnerability :CVE-2024-43484 \nSeverity :HIGH \nPackage :pkg:rpm/redhat/dotnet8.0@8.0.23-1.el8_10?os_name=redhatlinux&os_version=8 \nAffected range :<8.0.110-1.el8_10 \nFixed version :8.0.110-1.el8_10 \nCVSS Score :7.5 \nCVSS Vector :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H \nEPSS Score :0.012100 \nEPSS Percentile :0.785560
The above CVE for example was fixed in 8.0.1 (dotnet/announcements#328)
Some of CVEs it seems to be incorrectly flagging
dotnet/announcements#337
dotnet/announcements#338
dotnet/announcements#348
dotnet/announcements#356
dotnet/announcements#295
dotnet/announcements#291
dotnet/announcements#296
dotnet/announcements#307
dotnet/announcements#315
dotnet/announcements#314
dotnet/announcements#326
dotnet/announcements#327
dotnet/announcements#328
dotnet/announcements#329
Docker Scout Version: 1.19.0
Dockerfile for image scanned:
This pulls down the latest dotnet release - https://github.com/dotnet/core/blob/main/release-notes/8.0/README.md
However Docker Scout flags CVEs going as far back as 2024 linking them to the dotnet rpm package / runtime
The above CVE for example was fixed in 8.0.1 (dotnet/announcements#328)
Some of CVEs it seems to be incorrectly flagging
dotnet/announcements#337
dotnet/announcements#338
dotnet/announcements#348
dotnet/announcements#356
dotnet/announcements#295
dotnet/announcements#291
dotnet/announcements#296
dotnet/announcements#307
dotnet/announcements#315
dotnet/announcements#314
dotnet/announcements#326
dotnet/announcements#327
dotnet/announcements#328
dotnet/announcements#329