Hi Dan
We get automatic scans done by GitHub's Dependabot and we periodically
run a manual scan using an OWASP tool. It would be nice to see the
results of the Sonatype scanner but these mailing lists don't support
images. Can you put them in a pastebin (I don't believe there's any
security benefit in avoid a public upload here) or send them directly to
me at this address?
Thanks
James
On 2022/09/28 18:50, Danny Mayer wrote:
Hi Support,
I'm developing a solution using Apache Drill on a MongoDB cluster
server, and it works well.
But, when I tried to approve the package at my company, it did not
pass IT security scans.
I performed a security scan using Sonatype Nexus IQ scanner, done on a
Linux box, on two docker images:
- apache-drill:master
- apache-drill:1.20.2
Both docker images did not pass the security scan.
I've tried to attach both reports, but they pass the limit of allowed
size by your email server.
Here are the steps to reproduce the reports:
1. Pull the docker images
# docker pull apache/drill:master
# docker pull apache/drill:1.20.2
2. Save docker images to a local file
# docker save -o apache-drill-master.tar <image-id>
# docker save -o apache-drill-1.20.2.tar <image-id>
2. Install Sonatype Nexus IQ scanner
3. Run Sonatype Nexus IQ scanner
4. Load each docker image file and start the scan
At the end of the scan a report is sent to you by email.
I've attached two screenshots of the first report page of each report.
image.png
image.png
Can you check these vulnerabilities, especially the high and medium
security levels, and write about them?
Regards,
Dan Mayer
