AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

False positive in ECR container image detected by AWS Inspector v2 related with com.fasterxml.jackson.core:jackson-databind?

2

We started a 15-day trial of new Amazon Inspector and it scanned all our existing repos. Latest version of them showed up with up to 19 critical vulnerabilities.... Looking into more detailed they were all related with com.fasterxml.jackson.core:jackson-databind specifically the version that is said to be detected is 0:2.9.6 We started investigating to fix the issue, but we don't have that version inside the offending .jar (we expanded it to look for it). Instead we found version 2.11.2 which has no vulnerability associated. WE did Found a jackson-core-asl-1.9.1.jar and jackson-mapper-asl-1.9.3.jar we thought might be causing it... Still when scanning the new image now without those *-asl.jar the same vulnerabilities are shown. Is it possible AWS Inspector is detecting this as fault possitive? Is there any more in-depth info on why the images are marked as having it, because we can't understand why is been flagged or how to solve it with the provided info.

Can AWS be reached for specific support on correcting false positives and how?

  • I had an experience with a 'false positive' too. But in the end we appeared to have a yarn.lock file which a developer of a package accidently included in the package. After removing this yarn.lock the vulnerability was no longer reported by Inspector v2. I guess inspector does not work with hashes of file but scans these kind of package references in lock files (there is also package.lock.json). Under the hood AWS is using Snyk (or similar) to detect vulnerabilities.

  • Look if you are using ehcache. Upgrading to the newest version fixed all of ours issues. ehcache package itself jackson-databind ...

질문됨 3년 전464회 조회
1개 답변
0

Simple answer is yes, you can go to Support section in the AWS Console and inquire about anything related to any AWS Services as long as you have the appropriate level of Support. You can find more about what support levels contains here - https://aws.amazon.com/premiumsupport/plans/

For your vulnerability, AWS Inspector uses the file that contains what packages are used to build the container. These files are in each package as well. So it may have picked up the package in another package that you have installed.

That is what we found, when we were getting 'false positives', we found that the package was in another package we installed.

Hope this helps!.

profile picture
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠