Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing docker image for 1.19.1 #1674

Open
parse opened this issue Apr 2, 2024 · 4 comments
Open

Missing docker image for 1.19.1 #1674

parse opened this issue Apr 2, 2024 · 4 comments

Comments

@parse
Copy link

parse commented Apr 2, 2024

  • terrascan version:
  • Operating System:

Description

The latest tag published at https://hub.docker.com/r/tenable/terrascan/tags is 1.18.11. It looks like the latest release published was 1.19.1. Can you publish this one as a Docker image as well?

Thanks

@nvuillam
Copy link

Same here, MegaLinter is using tenable:terrascan docker image, and 1.18.11 contains CVEs

┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817  │ CRITICAL │ fixed  │ v1.7.0            │ 1.7.4         │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│                                │                │          │        │                   │               │ injection ...                                                │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3817                    │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/moby/buildkit       │ CVE-2024-23652 │          │        │ v0.8.3            │ 0.12.5        │ moby/buildkit: possible host system access from mount stub   │
│                                │                │          │        │                   │               │ cleaner                                                      │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23652                   │
│                                ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23653 │          │        │                   │               │ moby/buildkit: Buildkit's interactive containers API does    │
│                                │                │          │        │                   │               │ not validate entitlements check                              │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23653                   │
│                                ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                │ CVE-2024-23651 │ HIGH     │        │                   │               │ moby/buildkit: possible race condition with accessing        │
│                                │                │          │        │                   │               │ subpaths from cache mounts                                   │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-23651                   │
├────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3                │ CVE-2024-26147 │          │        │ v3.6.1            │ 3.14.2        │ helm: Missing YAML Content Leads To Panic                    │
│                                │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26147                   │
└─────────────────────

@nvuillam
Copy link

@nmoretenable please could we have an ETA for the published docker image ? :)

@choweiyuan
Copy link

@nmoretenable Any updates on this? As mentioned by nvuillam it would be beneficial to address this as version 1.18.11 includes a CVE.

@nmoretenable
Copy link
Contributor

We have published terrascan v1.19.9. Please check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants