Docker Scout CVEs have incorrect severity levels for base Microsoft .NET docker images
I'm trying to understand what's wrong with security for base Microsoft aspnet docker images, like mcr.microsoft.com/dotnet/aspnet:6.0 or aspnet:6.0-bookworm-slim.
I pulled actual images and got information by docker scout that they have only LOW severity cve:
> docker scout quickview mcr.microsoft.com/dotnet/aspnet:6.0-bookworm-slim
Your image mcr.microsoft.com/dotnet/aspnet:6.0-bookworm-slim │ 0C 0H 0M 20L
But if you look on it more precisely:
> docker scout cves mcr.microsoft.com/dotnet/aspnet:6.0-bookworm-slim
you can find cve like:
0C 0H 0M 2L perl 5.36.0-7
pkg:deb/debian/perl@5.36.0-7?os_distro=bookworm&os_name=debian&os_version=12
x LOW CVE-2023-31486
https://scout.docker.com/v/CVE-2023-31486
Affected range : >=5.36.0-7
Fixed version : not fixed
x LOW CVE-2011-4116
https://scout.docker.com/v/CVE-2011-4116
Affected range : >=5.36.0-7
Fixed version : not fixed
And finally when you go to page of CVE-2023-31486 https://scout.docker.com/vulnerabilities/id/CVE-2023-31486?utm_source=desktop&utm_medium=ExternalLink
you will see on nist (This is our recommended source for this CVE), that this CVE has score 8.1 and severity HIGH!
And there're lots of such CVEs with HIGH severity in these official base images for aspnet runtime apps.
My first question, why Docker Scout is confusing with absolutely wrong level of cves in its report? And my second question, what is the best practice of using base Microsoft images for .net apps? Should I create custom image with updated components? Or maybe I should use only alpine images?
The image in your example is based on Debian Bookworm. Docker Scout prefers severities and scoring from vendors and security research teams of Linux distributions.
Hence in your concrete example, CVE-2023-31486 is marked HIGH on NIST but deemed 'unimportant' on https://security-tracker.debian.org/tracker/CVE-2023-31486.
Let me know if that helps,
cd
- What are the technical differences between Cassini and IIS for a development environment?
- Hide new folder option in telerik editor file uploading
- Update asp.net WebService reference from wsdl file?
- How do I access HTML elements from ASP.NET MVC's .cshtml files?
- Automatically detect minification failures in ASP.NET MVC bundling
- Visual Studio Opens Blank Browser Page
- Aspire.StackExchange.Redis.OutputCaching cors error for cache data
- ASP.NET 5: How to reload strongly typed configuration on change
- Using a date picker on a BoundField DataField
- How to prevent HTTP GET for ASP.NET events? or How to check for Request.Type on all events?
- How to debug this issue with MapRequestHandler, ASP.NET and the cookieless config
- How to pass ODataQueryOptions to Mediator while allowing input for OData queries only in Swagger?
- Alachisoft Ncache configuration issues
- How to reduce size of label in Mudblazor checkbox and radio button?
- ASP.NET controls cannot be referenced in code-behind in Visual Studio 2008
- How to set the page title and meta info in a view in ASP.NET MVC
- C# How to post an entity with a file as form-data from HttpClient to API?
- Adding reference to another project from visual studio code
- Using GridView inside UpdatePanel
- The client and server cannot communicate, because they do not possess a common algorithm - ASP.NET C# VB Visual Basic IIS TLS 1.0 / 1.1 / 1.2
- ASP.NET Required Field Validator not working
- Display FullName on DropdownListFor but submit Id - ASP.NET MVC C#
- What is equivalent of HostingEnvironment.ShutdownReason in ASP.NET Core?
- How to get a .Net Framework SignalR client to connect to .Net Core SignalR Server?
- Windows Azure or Amazon EC2 for ASP.NET MVC Development?
- Untrusted Certificate Error when connecting to SQL Server running in Docker from .NET 7 API in VS2022
- Finding controls inside nested master pages
- Why is my ASP.NET application throwing a ThreadAbortException?
- The name `addtaghelper` does not exist in the current context
- DataSet Value in Jquery C#