CVE-2024-6119 not detected #7525
-
QuestionCVE-2024-6119 When I use another scanning tool, it was detecting this particular CVE. TargetContainer Image ScannerVulnerability Output FormatJSON ModeStandalone Operating SystemWindows VersionVersion: 0.55.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-09-17 06:11:57.440749107 +0000 UTC
NextUpdate: 2024-09-17 12:11:57.440748977 +0000 UTC
DownloadedAt: 2024-09-17 06:56:37.687676243 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-09-17 01:05:13.063235569 +0000 UTC
NextUpdate: 2024-09-20 01:05:13.063235449 +0000 UTC
DownloadedAt: 2024-09-17 06:58:26.442649623 +0000 UTC |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 2 replies
-
Hello @johnsenong Latest ➜ docker run -it --rm ubuntu:24.04 cat /var/lib/dpkg/status | grep 'Package: libssl3t64' -A 13
Package: libssl3t64
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 6056
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: arm64
Multi-Arch: same
Source: openssl
Version: 3.0.13-0ubuntu3.3
Replaces: libssl3
Provides: libssl3 (= 3.0.13-0ubuntu3.3)
Depends: libc6 (>= 2.38)
Breaks: libssl3 (<< 3.0.13-0ubuntu3.3) But fixed version is Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
Thank you for checking on this. Apparently the openssl that I was referring to, looks to be not coming from the OS. Will Trivy be able to scan this package? For clearer context: (Let me know if i should remove this info) |
Beta Was this translation helpful? Give feedback.
-
Thanks @DmitriyLewen Yes, I can see both I have no visibility on how this binary get added, One last question from me (please bear with me :p): |
Beta Was this translation helpful? Give feedback.
-
Thanks, @DmitriyLewen I'll dig further into Datadog to understand the |
Beta Was this translation helpful? Give feedback.
Hello @johnsenong
Sorry for the confusion. I answered the question in my head 😄
Let me just say a few things:
apt
packages:This image contains installed
libssl3t64
andlibssl-dev
packages. Source of these packages -openssl
(see https://packages.debian.org/sid/libssl3t64).Trivy finds vulnerabilities by source package, but show package name (to make it easier for you to find and update it via
apt
).So Trivy detects
CVE-2024-6119
(you can see full info using-f json --list-all-pkgs
flags):