Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old fixed CVE vulnerabilities reported in Centos7.x while running vuls docker #1156

Closed
sanjay6976 opened this issue Jan 29, 2021 · 1 comment
Closed

Old fixed CVE vulnerabilities reported in Centos7.x while running vuls docker #1156

sanjay6976 opened this issue Jan 29, 2021 · 1 comment

Comments

@sanjay6976
Copy link

I run vuls scan every month on my Centos7.x based using the vuls ctl docker . until December 2020 the report were aligned and reported properly .
While running from Jan 2021 I observed that older CVE as old 2-3 years of which the packages are fixed long back are being reported as vulnerability.
Observation one on of the package have been on libtiff reporting old cves which are fixed in the setup.

Checking on other components
@kotakanbe
Copy link
Member

kotakanbe commented Jan 30, 2021
edited

Hi,

I couldn't reproduce it.
Please write a detailed description of how to reproduce it.

scan target server

[centos@ip-192-168-0-131 ~]$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[centos@ip-192-168-0-131 ~]$ rpm -qa | grep libtiff
libtiff-4.0.3-35.el7.x86_64
[centos@ip-192-168-0-131 ~]$ sudo yum check-update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: d36uatko69830t.cloudfront.net
 * extras: d36uatko69830t.cloudfront.net
 * updates: d36uatko69830t.cloudfront.net

goval

ubuntu@dev  ~│g│s│g│k│goval-dictionary  ⎇ master~  ./goval-dictionary -v
goval-dictionary v0.3.1 b0e8dc7
ubuntu@dev  ~│g│s│g│k│goval-dictionary  ⎇ master~  ./goval-dictionary fetch-redhat 7
INFO[01-30|09:23:03] Fetching...                              URL=https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
INFO[01-30|09:23:04] Fetched...                               URL=https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
INFO[01-30|09:23:04] Finished fetching OVAL definitions
INFO[01-30|09:23:05] Fetched                                  URL=https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 OVAL definitions=1221
INFO[01-30|09:23:05] Skip (Same Timestamp)                    Family=redhat Version=7
INFO[01-30|09:23:05] Finish                                   Updated=1221

vuls

 ✗  ubuntu@dev  ~│g│s│g│f│vuls  ⎇ master~  ./vuls -v
vuls v0.15.6 build-20210130_091707_39b1944
 ubuntu@dev  ~│g│s│g│f│vuls  ⎇ master~  ./vuls scan c7s
...snip...

Scan Summary
================
c7s     centos7.9.2009  308 installed, 0 updatable

 ubuntu@dev  ~│g│s│g│f│vuls  ⎇ master~  ./vuls report --ignore-unfixed
...snip...

c7s (centos7.9.2009)
====================
Total: 0 (Critical:0 High:0 Medium:0 Low:0 ?:0), 0/0 Fixed, 0 poc, 0 exploits, en: 0, ja: 0 alerts
308 installed, 0 updatable

No CVE-IDs are found in updatable packages.
308 installed, 0 updatable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kotakanbe @sanjay6976