Troubleshooting Docker image vulnerabilities

  • Updated on Sep 26, 2024
  • Published on Aug 22, 2024
Prev Next

You can use the GetImage API to retrieve additional CVE information for any Docker image uploaded to LUSID. For example, if you are unable to create a job from your Docker image lusid-upsert-transactions-image:latest, you could look at the available CVE information for all severity levels and use it to troubleshoot for yourself, or alternatively contact support

curl -X GET 
"https://<your-domain>.lusid.com/scheduler2/api/images/<your-image-name>%3A<your-image-tag>"
  -H "accept: application/json"
  -H "Authorization: Bearer <your-token>"
JSON

A response might look like this, with any vulnerabilities listed:

{
  "name": "lusid-upsert-transactions-image",
  "pushTime": "2023-04-19T13:36:34.0000000+00:00",
  "digest": "sha256:5b9810705c893d80f403a0111d932b392b2a53798bd8570d6010c34fb3cf1354",
  "size": 131485064,
  "tags": [
    {
      "name": "latest",
      "pullTime": "0001-01-01T00:00:00.0000000+00:00",
      "pushTime": "0001-01-01T00:00:00.0000000+00:00",
      "signed": false,
      "immutable": false
    }
  ],
  "scanReport": {
    "severity": "High",
    "status": "COMPLETE",
    "endTime": "2023-04-19T13:36:42.0000000+00:00",
    "summary": {
      "total": 51,
      "critical": 0,
      "high": 0,
      "medium": 4,
      "low": 5,
      "negligible": 34,
      "unknown": 8
    },
    "vulnerabilities": [

      {
        "name": "CVE-2022-1304",
        "severity": "Medium",
        "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.",
        "links": [
          "https://security-tracker.debian.org/tracker/CVE-2022-1304"
        ]
      },
      {
        "name": "CVE-2021-33560",
        "severity": "Medium",
        "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.",
        "links": [
          "https://security-tracker.debian.org/tracker/CVE-2021-33560"
        ]
      },
      {
        "name": "CVE-2022-29458",
        "severity": "Medium",
        "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.",
        "links": [
          "https://security-tracker.debian.org/tracker/CVE-2022-29458"
        ]
      },
      [...],
    ]
}
JSON

Note that your image must contain no critical or high vulnerabilities in order to pass AWS gate checks.