You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Has there been any discussion of attributing the source of the vulnerability to how/where it was added to the image?
As I have been tracking back the source of vulnerabilities, so I know where to fix the issue I have found it can be hard to know where it was installed from/at.
An example would be to help determine that a vulnerability was existing in the base (FROM) image or added somewhere from a RUN command, such as it was added as a dependency of something else. If I didn't install curl in an image was it installed because it was in the FROM image or did installing packagex have it as a dependency?
We have the layer digest. How hard would it be to attribute that layer to the command and then to the Dockerfile line?
kind/featureCategorizes issue or PR as related to a new feature.lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.triage/discussItems for discussion
1 participant
Converted from issue
This discussion was converted from issue #640 on May 15, 2023 13:50.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Has there been any discussion of attributing the source of the vulnerability to how/where it was added to the image?
As I have been tracking back the source of vulnerabilities, so I know where to fix the issue I have found it can be hard to know where it was installed from/at.
An example would be to help determine that a vulnerability was existing in the base (FROM) image or added somewhere from a RUN command, such as it was added as a dependency of something else. If I didn't install
curlin an image was it installed because it was in the FROM image or did installingpackagexhave it as a dependency?We have the layer digest. How hard would it be to attribute that layer to the command and then to the Dockerfile line?
Beta Was this translation helpful? Give feedback.
All reactions