This should never happen. The scanners are reporting false positives (in part) due to stale dependencies.
This has been reported multiple times. I'm starting a new tracking issue. There are lots of scanners. I'm using Docker Scout because it is easy for me to use. Nice product!
.NET SDK 8.0.203 image:
There are a mixture of .NET SDK, PowerShell (due to .NET dependencies), and Debian CVEs.
.NET SDK 8.0.300-preview.24201.7 (from https://github.com/dotnet/installer?tab=readme-ov-file#table):
A number of the (false positive) .NET CVEs are resolved in 8.0.300, which should be released in May.
Outstanding issues:
- CVE-2023-29331
- System.Security.Cryptography.Pkcs 7.0.0
/usr/share/dotnet/sdk/8.0.300-preview.24201.7/DotnetTools/dotnet-watch/8.0.300-preview.24201.10/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json
- CVE-2024-0057
- NuGet.Packaging 6.7.0.127
/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/dependencies/NuGet.Packaging.dll/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/_manifest/spdx_2.2/manifest.spdx.json
- CVE-2024-0056
- System.Data.SqlClient 4.8.5
/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json
The remaining Debian issues are low severity and have a mix of fix available and not at the time of writing:
The CVE with a fix available should be resolved the next time we rebuild our Debian images.
This should never happen. The scanners are reporting false positives (in part) due to stale dependencies.
This has been reported multiple times. I'm starting a new tracking issue. There are lots of scanners. I'm using Docker Scout because it is easy for me to use. Nice product!
.NET SDK 8.0.203 image:
There are a mixture of .NET SDK, PowerShell (due to .NET dependencies), and Debian CVEs.
.NET SDK 8.0.300-preview.24201.7 (from https://github.com/dotnet/installer?tab=readme-ov-file#table):
A number of the (false positive) .NET CVEs are resolved in 8.0.300, which should be released in May.
Outstanding issues:
/usr/share/dotnet/sdk/8.0.300-preview.24201.7/DotnetTools/dotnet-watch/8.0.300-preview.24201.10/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/dependencies/NuGet.Packaging.dll/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/_manifest/spdx_2.2/manifest.spdx.json/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.jsonThe remaining Debian issues are low severity and have a mix of fix available and not at the time of writing:
The CVE with a fix available should be resolved the next time we rebuild our Debian images.