CBL-Mariner2.0 reporting security vulnerability [CVE-2024-45490]

[Kalpana1596]

We've encountered an issue with Component Governance in our project, specifically with the Mariner 2.0 image. The governance tool flagged several packages as vulnerable, and despite upgrading them to the recommended versions, our pipeline continues to report the presence of these vulnerable packages.

Affected Packages and Versions:

expat: Upgraded from 2.6.2-2.cm2 to 2.6.3-1.cm2

curl: Upgraded from 8.8.0-1.cm2 to 8.8.0-2.cm2

Attempted Resolution: We explicitly upgraded the mentioned packages to the versions recommended by the Component Governance tool to address the vulnerabilities.

Further Steps: Following a suggestion from the Component Governance Team, we utilized the https://github.com/microsoft/component-detection/tree/main tool to scan our project. The scan results showed both the old and new versions of the packages, which is puzzling.

How can we remove any dependencies on the vulnerable packages through docker directives?

[lbussell]

@Kalpana1596, which image layer are you running the tdnf upgrade -y expat command in? expat is installed by default in the Azure Linux/CBL Mariner 2.0 base image, so if you aren't running the upgrade command in your final layer, then it may still be making it through to your image.

Component-detection uses anchore/syft for checking components of container images. To validate your fixes locally, build your image and then test it yourself by running:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/syft scan $YOUR_TAG

[mthalman]

My understanding is that component detection is scanning all layers so while an upgrade does solve the issue of having a vulnerable version in your running container, it doesn't solve the issue of the scanner detecting the vulnerable version.

[lbussell]

It seems you might be right - I found this issue: Component detection detects vulnerabilities in all docker image layers even if they've been patched by a new layer (microsoft/component-detection#721)