- Newest
- Most votes
- Most comments
FYI I did open a case at AWS support and they were able to repro the issue. It happens that the issue can be seen when you use podman to build images. Such images, once pushed into ECR, will show "UNSUPPORTED_IMAGE" scan status.
They now have fixed that and ECR Enhanced Scanning works properly on both Docker and Podman built images.
I tried to push ubi8/ubi:8.5-200
in my environment.
As a result, a scan was performed, and one vulnerability was detected.
Here is the result of referring to findings in AWS CLI.
$ aws inspector2 list-findings
{
"findings": [
{
"awsAccountId": "123456789012",
"description": "A flaw was found in the way Unicode standards are implemented in the context of development environments, which have specialized requirements for rendering text. An attacker could exploit this to deceive a human reviewer by creating a malicious patch containing well placed BiDi characters. The special handling and rendering of those characters can be then used in an attempt to hide unexpected and potentially dangerous behaviour from the reviewer.",
"findingArn": "arn:aws:inspector2:ap-northeast-1:123456789012:finding/0b9c60a7b1ddba6e914d21aa04cf****",
"firstObservedAt": "2021-12-23T03:06:02.647000+00:00",
"inspectorScore": 8.5,
"inspectorScoreDetails": {
"adjustedCvss": {
"adjustments": [],
"cvssSource": "REDHAT_CVE",
"score": 8.5,
"scoreSource": "REDHAT_CVE",
"scoringVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"lastObservedAt": "2021-12-23T03:06:02.647000+00:00",
"packageVulnerabilityDetails": {
"cvss": [
{
"baseScore": 8.5,
"scoringVector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"source": "REDHAT_CVE",
"version": "3.1"
},
{
"baseScore": 5.1,
"scoringVector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"source": "NVD",
"version": "2.0"
},
{
"baseScore": 8.3,
"scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"source": "NVD",
"version": "3.1"
}
],
"referenceUrls": [
"https://access.redhat.com/errata/RHSA-2021:4037",
"https://access.redhat.com/errata/RHSA-2021:4730",
"https://access.redhat.com/errata/RHSA-2021:4598",
"https://access.redhat.com/errata/RHSA-2021:4036",
"https://access.redhat.com/errata/RHSA-2021:4596",
"https://access.redhat.com/errata/RHSA-2021:4035",
"https://access.redhat.com/errata/RHSA-2021:4034",
"https://access.redhat.com/errata/RHSA-2021:4694",
"https://access.redhat.com/errata/RHSA-2021:4595",
"https://access.redhat.com/errata/RHSA-2021:4039",
"https://access.redhat.com/errata/RHSA-2021:4038",
"https://access.redhat.com/errata/RHSA-2021:4599",
"https://access.redhat.com/errata/RHSA-2021:4590",
"https://access.redhat.com/errata/RHSA-2021:4033",
"https://access.redhat.com/errata/RHSA-2021:4594",
"https://access.redhat.com/errata/RHSA-2021:4593",
"https://access.redhat.com/errata/RHSA-2021:4592",
"https://access.redhat.com/errata/RHSA-2021:4591",
"https://access.redhat.com/errata/RHSA-2021:4649",
"https://access.redhat.com/errata/RHSA-2021:4669",
"https://access.redhat.com/errata/RHSA-2021:4724",
"https://access.redhat.com/errata/RHSA-2021:4729",
"https://access.redhat.com/errata/RHSA-2021:4587",
"https://access.redhat.com/errata/RHSA-2021:4586",
"https://access.redhat.com/errata/RHSA-2021:4585",
"https://access.redhat.com/errata/RHSA-2021:4723",
"https://access.redhat.com/errata/RHSA-2021:4602",
"https://access.redhat.com/errata/RHSA-2021:4601",
"https://access.redhat.com/errata/RHSA-2021:4600",
"https://access.redhat.com/errata/RHSA-2021:4743",
"https://access.redhat.com/errata/RHSA-2021:4589",
"https://access.redhat.com/errata/RHSA-2021:4588"
],
"relatedVulnerabilities": [],
"source": "REDHAT_CVE",
"sourceUrl": "https://access.redhat.com/security/cve/CVE-2021-42574",
"vendorCreatedAt": "2021-11-01T00:00:00+00:00",
"vendorSeverity": "Moderate",
"vulnerabilityId": "CVE-2021-42574",
"vulnerablePackages": [
{
"arch": "X86_64",
"epoch": 0,
"name": "libgcc",
"packageManager": "OS",
"release": "3.el8",
"sourceLayerHash": "sha256:ce3c6836540f978b55c511d236429e26b7a45f5a6f1204ab8d4378afaf77332f",
"version": "8.5.0"
},
{
"arch": "X86_64",
"epoch": 0,
"name": "libstdc++",
"packageManager": "OS",
"release": "3.el8",
"sourceLayerHash": "sha256:ce3c6836540f978b55c511d236429e26b7a45f5a6f1204ab8d4378afaf77332f",
"version": "8.5.0"
}
]
},
"remediation": {
"recommendation": {
"text": "This issue can be mitigated by ensuring code commits get a proper review. All new commits can also be scanned for the presence of BiDi characters before accepting the commit."
}
},
"resources": [
{
"details": {
"awsEcrContainerImage": {
"architecture": "amd64",
"imageHash": "sha256:8ee9d7bbcfc19d383f9044316a5c5fbcbe2df6be3c97f6c7a5422527b29bdede",
"imageTags": [
"8.5-200"
],
"platform": "RHEL_8",
"pushedAt": "2021-12-23T03:05:54+00:00",
"registry": "123456789012",
"repositoryName": "test/ubi8/ubi"
}
},
"id": "arn:aws:ecr:ap-northeast-1:123456789012:repository/test/ubi8/ubi/sha256:8ee9d7bbcfc19d383f9044316a5c5fbcbe2df6be3c97f6c7a5422527b29bdede",
"partition": "N/A",
"region": "N/A",
"tags": {},
"type": "AWS_ECR_CONTAINER_IMAGE"
}
],
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2021-42574 - libgcc, libstdc++",
"type": "PACKAGE_VULNERABILITY",
"updatedAt": "2021-12-23T03:06:02.647000+00:00"
}
]
}
Following what you did, I pushed the original ubi8/ubi:8.5-214
: in this case ECR scanning works and no findings were reported (no CVE currently).
Then I pushed an image built using super simple following DockerFile:
FROM registry.access.redhat.com/ubi8/ubi:8.5-214
CMD ["/bin/bash"]
And then ECR scanning failed with "Scan status: UNSUPPORTED_IMAGE". Note that I use the AWS Console since using the CLI (aws inspector2 list-findings --filter-criteria '{"ecrImageRepositoryName": [{"comparison": "EQUALS", "value": "<your repo name>"}]}'
) always reports no findings.
Relevant content
- asked a year ago
- asked a year ago
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago