1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
Simple answer is yes, you can go to Support section in the AWS Console and inquire about anything related to any AWS Services as long as you have the appropriate level of Support. You can find more about what support levels contains here - https://aws.amazon.com/premiumsupport/plans/
For your vulnerability, AWS Inspector uses the file that contains what packages are used to build the container. These files are in each package as well. So it may have picked up the package in another package that you have installed.
That is what we found, when we were getting 'false positives', we found that the package was in another package we installed.
Hope this helps!.
beantwortet vor 2 Jahren
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 3 Jahren
I had an experience with a 'false positive' too. But in the end we appeared to have a yarn.lock file which a developer of a package accidently included in the package. After removing this yarn.lock the vulnerability was no longer reported by Inspector v2. I guess inspector does not work with hashes of file but scans these kind of package references in lock files (there is also package.lock.json). Under the hood AWS is using Snyk (or similar) to detect vulnerabilities.
Look if you are using ehcache. Upgrading to the newest version fixed all of ours issues. ehcache package itself jackson-databind ...