I have recently noticed that there are false positives in the Amazon Linux 2018.3 official image. When checking the package changelog for bash I see that fixes for the CVE’s have been applied via backporting but are still listed as vulnerabilities. It seems that the scanner only checks the package version which wouldn’t show that fixes have been applied. I assume that this will be an issue for all images and packages or at least the RHEL based ones?
This means that there are more vulnerabilities listed than actually exist in the image. I know Backporting doesn’t help the matter as fixes are applied but the package version doesn’t change. Also some CVE’s aren’t addressed due to the fixes being deemed as not required but there is nothing in the change log for the package.
The version of Bash that is installed is bash-4.2.46-28.37.amzn1.x86_64
Here is the changelog for the package.
rpm -q --changelog bash | grep CVE
CVE-2016-9401 - Fix crash when ‘-’ is passed as second sign to popd
CVE-2016-7543: Fix for arbitrary code execution via SHELLOPTS+PS4 variables
CVE-2016-0634: Fix for arbitrary code execution via malicious hostname
Added two remaining patches to fix CVE 2014-7169 (variables-affix & parser-oob)
Added patch eol-pushback.patch, fixes CVE-2014-7169
apply patch for CVE-2014-6271
This shows what CVE’s have been fixed but they are still being shown as vulnerabilities in the scanner.
This is the link that shows the vulnerabilities in my example.
I have also tried to report the false positives to Docker as using the described method in this article but I get an error when trying and I can’t find another way to contact their support team.
Will Docker be doing anything to address this issue with the Scanner?