Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71169

Wrong severity when use StackRox Container Image Scanner 1.3.5

XMLWordPrintable

      Hi all,

      I did use StackRox Container Image Scanner 1.3.5 for scan image. Example scan nginx:latest image.

      When i run my pipeline it show me a StackRox Report
           stage('Scan Image') {
            steps {    
                script {
                    echo "Scan image"
                    stackrox (
                          apiToken: "${ROX_API_TOKEN}",
                          caCertPEM: '',
                          enableTLSVerification: false,
                          failOnCriticalPluginError: true,
                          failOnPolicyEvalFailure: true,
                          portalAddress: "${ROX_CENTRAL_ADDRESS}",
                          imageNames: "docker.io/nginx:latest"
                    )
                }
         

      I read vulnerabilities report and see some component have wrong severity.

      COMPONENT VERSION CVE FIXABLE SEVERITY CVSS SCORE SCORE TYPE LINK
      db5.3 5.3.28+dfsg1-0.8 CVE-2019-8457 LOW FALSE 9.8 V3 https://security-tracker.debian.org/tracker/CVE-2019-8457

       

      Same image, i did scan manually and see different result severity about db5.3 package.

       
      [root@runner ~]#  docker run e ROX_API_TOKEN=$ROX_API_TOKEN   -it quay.io/stackrox-io/roxctl   -e central-stackrox.apps.ocp.testvn.click:443  -insecure-skip-tls-verify  image scan --image docker.io/nginx:latest --output=table
      Scan results for image: docker.io/nginx:latest
      (TOTAL-COMPONENTS: 29, TOTAL-VULNERABILITIES: 64, LOW: 56, MODERATE: 0, IMPORTANT: 4, CRITICAL: 1)

      -------------------------------------------------------------------------------------------------------------------------

        COMPONENT          VERSION               CVE         SEVERITY                               LINK                            

      -------------------------------------------------------------------------------------------------------------------------

          db5.3       5.3.28+dfsg1-0.8      CVE-2019-8457   CRITICAL    https://security-tracker.debian.org/tracker/CVE-2019-8457  

      -------------------------------------------------------------------------------------------------------------------------
      As you see, it have severity critical. I think it is bug.
       

       

       

        1. stackrox.png
          63 kB
          Hoan
        2. stackrox2.png
          39 kB
          Hoan

            srox_plugin Stackrox Kubernetes Security
            hoanbc Hoan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: