Docker Community Forums

Share and learn in the Docker community.

Interpreting Docker vulnerability scan results

Hi, im a new member of the forum and new to Docker. I just wanted to ask if anyone could help me understand the security scanning process at a high level.

Im using the latest build of Oracle Linux (https://hub.docker.com/_/oraclelinux). That includes the Curl library (curl 7.29.0-51.0.1.el7_6.3), and according to the Oracle Linux errata, should include fixes for known Curl CVEs, including for example https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619. However the Docker Scan shows it having that vulnerability still.

My question is, does the result of the scan indicate that the build is missing that CVE fix, or that the fix itself is invalid in some way?

Many Thanks,
Simon