Question: How to report and/or resolve reported vulnerabilities in the Docker images?
I followed the instructions for installing Eramba community edition, using an Intel based Mac running Docker Desktop. I’m just playing around at the moment and so accessing Eramba via 127.0.0.1 / loppback address.
When poking around in Docker Desktop I used Docker Scout to analyse the images for vulnerabilities. I was surprised to see several critical and high vulnerabilities being reported against components of the images. Example screenshot below
How does Eramba scan the images for vulnerabilities? Also is it possible to resolve the vulnerabilities once launched or will a new image need to be downloaded?
Thanks for reporting. We are only doing a vulnerability scan against the eramba application, you can find those reports in the release notes.
We will try to fix at least critical ones. I believe that we need to resolve them on our side.
I have to agree with Daniel here.
My own company’s security controls for SOC2 and ISO 27001 see us doing daily vulnerability scans, and remediating critical vulnerabilities within a timeframe of days. And our supplier controls strongly frown upon us signing up with a SaaS provider that didn’t do the same.
If our own Eramba installation wasn’t effectively sandboxed in our own datacentre I was probably not be allowed to use you.