Trivy did not report on PYSEC-2023-135 #5778
donnieelmore
started this conversation in
False Detection
Replies: 1 comment
-
Hello @donnieelmore Is your CI using the latest trivy-db? I can correctly find ➜ trivy -d image quay.io/ansible/awx-ee@sha256:8e342ee7fe0d1b413a0ca24f45a1d29f0bf31829cbcd90104175c086cfa5a3e9 | grep "certifi"
...
│ certifi (METADATA) │ CVE-2023-37920 │ HIGH │ fixed │ 2023.5.7 │ 2023.7.22 │ python-certifi: Removal of e-Tugra root certificate │
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
IDs
Trivy did not report on PYSEC-2023-135
Description
Summary
We had been using the awx-ee container available on quay and were pinned to the following version: https://quay.io/repository/ansible/awx-ee/manifest/sha256:8e342ee7fe0d1b413a0ca24f45a1d29f0bf31829cbcd90104175c086cfa5a3e9?tab=vulnerabilities
The "PYSEC-2023-135" CVE was not showing in Trivy results ran via GitLab CI.
Not a new finding but more concerned that this finding was not found.
Reproduction Steps
Ran trivy scanning on https://quay.io/repository/ansible/awx-ee/manifest/sha256:8e342ee7fe0d1b413a0ca24f45a1d29f0bf31829cbcd90104175c086cfa5a3e9?tab=vulnerabilities via GitLab CI and the vulnerability was not reported.
Target
Container Image
Scanner
Vulnerability
Target OS
CentOS Stream
Debug Output
Version
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions