/PAwChO8

Primary LanguageJavaScript

LAB8 - Docker Scout usage and CVEs analysis

Source of project that has been analyzed is here.

Building an image

docker buildx build -f Dockerfile_classic -t rreszka/pawcho:lab8 --sbom=true --provenance=mode=max --push .

Checking image for CVEs

Critical severity CVEs

Critical CVEs - screenshot

High severity CVEs

High CVEs - screenshot

With usage of command provided below, I could find fixed versions of packages, being no longer vulnerable:

docker scout cves --only-severity critical,high rreszka/pawcho:lab8

Here is an example:

CVEs extended info - screenshot

Patching the project

To fix this project, package.json has to be updated with safe versions of packages.

Here are differences made to package.json file.

Unfortunately first update of package.json did not cover all vulnerabilities:

Still some CVEs - screenshot

Audit provided by npm shows us which packages depend on vulnerable ones:

NPM audit - screenshot

Here are new differences made to package.json file for more patches.

Now we can see that all critical and high severity CVEs have been fixed!

Critical and High severity CVEs are no more - screenshot