Docker Desktop OSX reports critical vulnerabiliites in in Eramba images

danielschipper · December 4, 2023, 5:40am

Question: How to report and/or resolve reported vulnerabilities in the Docker images?

I followed the instructions for installing Eramba community edition, using an Intel based Mac running Docker Desktop. I’m just playing around at the moment and so accessing Eramba via 127.0.0.1 / loppback address.

When poking around in Docker Desktop I used Docker Scout to analyse the images for vulnerabilities. I was surprised to see several critical and high vulnerabilities being reported against components of the images. Example screenshot below

How does Eramba scan the images for vulnerabilities? Also is it possible to resolve the vulnerabilities once launched or will a new image need to be downloaded?

Any thoughts would be appreciated.

Thanks

sam · December 4, 2023, 9:28am

Hello,

Thanks for reporting. We are only doing a vulnerability scan against the eramba application, you can find those reports in the release notes.
We will try to fix at least critical ones. I believe that we need to resolve them on our side.

Int. ref.: https://github.com/eramba/eramba/issues/4553

danielschipper · January 8, 2024, 6:15am

Hi,

Just checking if there is any update to this?

sam · January 8, 2024, 9:49am

Hello,

The issue was not yet taken into release.

danielschipper · January 9, 2024, 7:05am

Is it possible to get an ETA… some of these issues were marked critical and really should have a process in place to be patched ASAP.

david.davis · January 9, 2024, 9:42am

I have to agree with Daniel here.
My own company’s security controls for SOC2 and ISO 27001 see us doing daily vulnerability scans, and remediating critical vulnerabilities within a timeframe of days. And our supplier controls strongly frown upon us signing up with a SaaS provider that didn’t do the same.
If our own Eramba installation wasn’t effectively sandboxed in our own datacentre I was probably not be allowed to use you.