Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Missing docker image for 1.19.1 #1674

Open
parse opened this issue Apr 2, 2024 · 4 comments
Open

Missing docker image for 1.19.1 #1674

parse opened this issue Apr 2, 2024 · 4 comments

Comments

@parse
Copy link

parse commented Apr 2, 2024

  • terrascan version:
  • Operating System:

Description

The latest tag published at https://hub.docker.com/r/tenable/terrascan/tags is 1.18.11. It looks like the latest release published was 1.19.1. Can you publish this one as a Docker image as well?

Thanks
@nvuillam
Copy link

Same here, MegaLinter is using tenable:terrascan docker image, and 1.18.11 contains CVEs

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817  │ CRITICAL │ fixed  │ v1.7.0            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                │          │        │                   │               │ injection ...                                                │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit       │ CVE-2024-23652 │          │        │ v0.8.3            │ 0.12.5        │ moby/buildkit: possible host system access from mount stub   │
│                                │                │          │        │                   │               │ cleaner                                                      │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23652                   │
│                                ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23653 │          │        │                   │               │ moby/buildkit: Buildkit's interactive containers API does    │
│                                │                │          │        │                   │               │ not validate entitlements check                              │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23653                   │
│                                ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23651 │ HIGH     │        │                   │               │ moby/buildkit: possible race condition with accessing        │
│                                │                │          │        │                   │               │ subpaths from cache mounts                                   │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23651                   │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3                │ CVE-2024-26147 │          │        │ v3.6.1            │ 3.14.2        │ helm: Missing YAML Content Leads To Panic                    │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26147                   │
└─────────────────────

@nvuillam
Copy link

@nmoretenable please could we have an ETA for the published docker image ? :)

@choweiyuan
Copy link

@nmoretenable Any updates on this? As mentioned by nvuillam it would be beneficial to address this as version 1.18.11 includes a CVE.

@nmoretenable
Copy link
Contributor

We have published terrascan v1.19.9. Please check.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@parse @choweiyuan @nvuillam @nmoretenable