False positive vulnerabilities reported

[kropiwnickij]

Dear Team,

After detailed investigation for Docker container vulnerabilities reported under microsoft/openjdk-docker#113 - it appears that ones with severity critical and high were actually detected towards krb5 package, and in fact are resolved.

When we look at discovered CVE https://nvd.nist.gov/vuln/detail/cve-2024-37371 - NVD provides solution with higher version as mentioned "In MIT Kerberos 5 (aka krb5) before 1.21.3".

When we check details this specific CVE have been already resolved in patches mentioned by @d3r3kk in microsoft/openjdk-docker#113 (comment).

The challenge is security scanners compare package version from NVD:

Known Affected Software Configurations
Up to (excluding)
1.21.3

to system level package version hence still this CVE is discovered because Mariner used "patched release", not version, to resolve issue:

Version : 1.19.4
Release : 3.cm2

Is this approach of having custom release versions of system package a standard approach for Mariner, or we can expect soon Mariner to have krb5 version bumped to be aligned with official one, which has this CVE resolved.

We are trying to understand how to investigate container security reports without custom rules for Mariner based images, per each CVE that is fixed but cannot be automatically discovered.

Regards
Jan

[kropiwnickij]

Any update on this please?

[jperrin]

We're working with scanning vendors to get this false positive corrected. You're right in that it's patched already, but it may take some time for the tooling to resolve correctly.