You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TL;DR: API returns vulnerabilities considered low by Ubuntu (when I ask for high). Not sure if existing issues like #19 or #54 cover entirely this problem.
Let's say I query /v1/vulnerabilities/CVE-2015-5277 to get a vulnerability's information. Answer:
{"ID":"CVE-2015-5277","Link":"https://security-tracker.debian.org/tracker/CVE-2015-5277","Priority":"High","Description":"The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.","AffectedPackages":[{"OS":"debian:9","Name":"glibc","AllVersions":false,"BeforeVersion":"2.21-1"},{"OS":"debian:unstable","Name":"glibc","AllVersions":false,"BeforeVersion":"2.21-1"},{"OS":"ubuntu:14.04","Name":"eglibc","AllVersions":true,"BeforeVersion":""},{"OS":"debian:8","Name":"glibc","AllVersions":true,"BeforeVersion":""}]}
Both Link and Priority fields are shown for Debian. The same vulnerability has a different priority in the Ubuntu CVE tracker. So the same vulnerability can be assigned different priorities by the different trackers.
When querying /v1/layers/{ID}/vulnerabilities with the default minimumPriority (High) using an image based on Ubuntu 14.04, the API will return vulnerabilities that are considered having Low or Medium priorities by the Ubuntu CVE tracker.
I am wondering if this behaviour have been chosen for simplicity, or if there is something I missed. It would be nice if the priority for a vulnerability reflects the OS on which our image is based.
The text was updated successfully, but these errors were encountered:
Yes, this is a known issue actually (which I consider major) and is basically tracked by #19. #54 will fix it as soon as it will be released, along with other important features.
TL;DR: API returns vulnerabilities considered low by Ubuntu (when I ask for high). Not sure if existing issues like #19 or #54 cover entirely this problem.
Let's say I query
/v1/vulnerabilities/CVE-2015-5277
to get a vulnerability's information. Answer:Link
andPriority
fields are shown for Debian. The same vulnerability has a different priority in the Ubuntu CVE tracker. So the same vulnerability can be assigned different priorities by the different trackers./v1/layers/{ID}/vulnerabilities
with the defaultminimumPriority
(High) using an image based on Ubuntu 14.04, the API will return vulnerabilities that are considered having Low or Medium priorities by the Ubuntu CVE tracker.I am wondering if this behaviour have been chosen for simplicity, or if there is something I missed. It would be nice if the priority for a vulnerability reflects the OS on which our image is based.
The text was updated successfully, but these errors were encountered: