Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider ignoring CVEs that are marked as "wont-fix" #1057

Open
apyrgio opened this issue Jan 20, 2025 · 0 comments
Open

Consider ignoring CVEs that are marked as "wont-fix" #1057

apyrgio opened this issue Jan 20, 2025 · 0 comments
Labels
security

Comments

@apyrgio
Copy link
Contributor

apyrgio commented Jan 20, 2025

When we scan the soon-to-be-merged Dangerzone Debian image (see #1046), we see several CVEs that are marked as wont-fix. These CVEs have varying severities, and some are even Critical. Usually, when the Debian Security team marks a CVE as wont-fix, it means that they have assessed its impact and deemed that it's not important for various reasons, mainly build options. Still, Grype can't know this, and will error out if we ask it to fail for CVEs with Critical severity.

For the time being, we have decided to let the tool fail, so that we can check the Debian's Security team advisory, and ignore the CVE in .grype.yaml, if we feel the explanation makes sense. In the future, it may make sense to run Grype with the --ignore-states wont-fix option. Note that this option is not present in anchore/scan-action (see Action Inputs), so we may have to run this tool differently, e.g., with:

podman run --rm -v /tmp/container.tar:/container.tar anchore/grype:latest /container.tar --ignore-states wont-fix
apyrgio added a commit that referenced this issue Jan 21, 2025
@apyrgio
ci: Scan the latest image for CVEs
2ef4da5 
Update the Debian snapshot date to the current one, so that we always
scan the latest image for CVEs.

Refs #1057
apyrgio added a commit that referenced this issue Jan 21, 2025
@apyrgio
ci: Scan the latest image for CVEs
e3acd21 
Update the Debian snapshot date to the current one, so that we always
scan the latest image for CVEs.

Refs #1057
apyrgio added a commit that referenced this issue Jan 23, 2025
@apyrgio
ci: Scan the latest image for CVEs
3ebc454 
Update the Debian snapshot date to the current one, so that we always
scan the latest image for CVEs.

Refs #1057
apyrgio added a commit that referenced this issue Jan 27, 2025
@apyrgio
ci: Scan the latest image for CVEs
5d49f5a 
Update the Debian snapshot date to the current one, so that we always
scan the latest image for CVEs.

Refs #1057
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
Dangerzone ✨
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@apyrgio