Those scans are useful for spotting parts of the the linux image layers that make up a docker image, that are problematic, and likely easy to remedy by refreshing things.
For spotting stuff inside apps, the signal to noise ratio seems very low. On Tuesday, June 21, 2016 at 8:57:41 AM UTC+10, Kohsuke Kawaguchi wrote: > > Thanks. Some of the vulnerabilities doesn't apply to us (for example the > spring vulnerability that only affects JSP), but I don't suppose these > scanners would be able to make such a distinction. > > I'll file this as a SECURITY ticket so that the team can discuss any > legitimate issues that need fixing, as well as whether anything can be done > to avoid scaring users about vulnerabilities that do not apply. > > > On Wed, Jun 15, 2016 at 1:05 AM Carlos Sanchez <car...@apache.org > <javascript:>> wrote: > >> Hi, >> >> The last docker image for 1.651.3 is up in the docker hub. >> >> The official images are now security scanned, and you can see the results >> at https://hub.docker.com/r/library/jenkins/tags/1.651.3/ (need to be >> logged in) >> >> Some layers come from the parent Debian and Java images, but the last >> ones are from Jenkins war, showing several CVEs for Spring (critical), >> Groovy (critical), httpclient, commons-compress, xstream and jbcrypt >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-de...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0c653bce-c3be-4177-976b-b60646b38abc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
