Question:When the image was scanned one month ago, there is no vulnerability. The same image is scanned today, and reports vulnerabilities. Why?
Answser: AWS has updated its' vulnerability definitions.
Question:Sometimes, after image is rebuilt using the same docker file, these vulnerabilities are gone. Why?
Answer: When the image is rebult, it will grab the latest libraries and these vulnerabilities may have been fixed in these new libraies. In the case, use this flag.
--no-cacheHere is an example. Scan reports vulnerabilities related to curl
Dockerfile
FROM alpine:3.19
RUN apk update && apk add curl && apk upgradeTo build
docker image build --no-cache -t leo_test:latest .When do apk update && apk add, it will get the latest libraries. At that time, alpine may have fix the curl issue. You may check and find that curl version has been changed.
curl --version
No comments:
Post a Comment