How does vulnerability acknowledgement work? The images have the vulnerable file in the same location in the Docker image, but there are also scenarios in which the Docker image has the vulnerable file in different locations as well. Will this feature still work as intended?
The feature will work whether or not the vulnerabilities are in the same or different locations of the scanned images.
Here are two Dockerfiles created that have the same Python vulnerability available in different file locations on each running container. I created my Image Assurance policy by disallowing any images to run as a container, if they have any high vulnerabilities. Here are my two Python images
If the user goes to Compliance -> Vulnerabilities -> Vulnerabilities tab, there is the same CVE marked for both of the images ('ericgomes/python3:v1' has one vulnerability named, '/usr/local/lib/python3.6/dist-packages/pip/_vendor/requests/sessions.py', and 'ericgomes/python3:v2' has two vulnerabilities named, '/usr/local/lib/python3.6/dist-packages/pip/_vendor/requests/sessions.py', and, '/usr/ericgomes/python3.6/dist-packages/pip/_vendor/requests/sessions.py'.
If the user selects 'All images' for the vulnerability acknowledgement in Aqua, after a rescan of the images, the one vulnerability reference from 'ericgomes/python3:v1' and both vulnerability references from 'ericgomes/python3:v2' are successfully remediated from one acknowledgement (CVE-2018-18074):
The same exact vulnerability, no matter where it is placed in each managed container, even if there are duplicates, will be acknowledged correctly.
Make sure that you acknowledge all images with that specific CVE vulnerability and not just a single image.
Did you find it helpful?Send feedback