-
QuestionI observed that, for image The bash image uses an alpine image with following digest: Dockerfile of the specified bash image for reference In that case, I assume trivy doesn't list the vulnerabilities that are removed on later layers. When I experiment manually with a Dockerfile I created myself, even if I remove the vulnerable package on the same layer, trivy still lists the vulnerability:
json-schema prior to version 0.4.0 has critical CVE-2021-3918, and it is listed on the image built with the Dockerfile above, base image node:14 scan does not include the vulnerability, so it is not inherited either. I'd appreciate if you can explain the reason for this behaviour. Thanks! TargetContainer Image ScannerVulnerability Output FormatNone ModeNone Operating SystemNo response Version0.46.1 |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
json-schema is not removed from node_moduels after
I think you need |
Beta Was this translation helpful? Give feedback.
True