Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

ECR Results - Basic vs Enhanced Scanning

0

The documentation states that the basic ECR image scan finds OS vulnerabilities, while the enhanced ECR scan finds OS + Language Package vulnerabilities. The documentation implies the basic scan (OS only scan) overlaps completely with the enhanced scan (which is OS + Language Package). This is not true in my experience.

If the result of the enhanced scan in the sum total of the OS scan, basic + the language package scan, I would expect to see all the findings of the basic scan, to also be present in the enhanced scan. This is not the case. When I scan the same image using a basic scan vs an enhanced scan, the enhanced scan actually contains FEWER findings than the basic scan.

Can someone please help me understand the results of the basic vs enhanced scans so that the differences are accounted for?

Themen
BehälterSicherheit, Identität & Konformität
Tags
Amazon Elastischer Container-Registry (ECR)Amazon Inspektor
Sprache
English
Quin Shanley
gefragt vor 3 Monaten265 Aufrufe
1 Antwort
0

As per documentation, basic scanning use CVEs from the open-source Clair project. Enhanced scanning is an integration with Amazon Inspector. This suggests both options use different database/scanners.

While enhanced scan may provide fewer findings, it may be due to basic scan generating false positives, or enhanced scan generating false negative . You may want to examine and validate the findings in more detail.

AWS
EXPERTE
Mike_L
beantwortet vor 3 Monaten
profile pictureAWS
EXPERTE
Didier_Durand
überprüft vor 3 Monaten
  • Didier_Durand EXPERTE
    vor 3 Monaten

    As the name implies, "Enhanced Scanning" goes deeper into the analysis of issues than "Basic scanning"

  • Quin Shanley
    vor 3 Monaten

    Thank you for the quick reply. To follow up on basic vs enhanced using different DBs/scanners. I have a concern that the enhanced scan is potentially missing relevant vulnerabilities. This comes from the basic scan reporting critical vulnerabilities where the enhanced scan of the same image doesn't report the same vulnerabilities.

    In my case, two of the critical vulnerabilities that were reported by the basic scan don't apply to our environment. I'm still investigating the third. I was thinking the enhanced scan was somehow aware of the same critical vulnerabilities, but didn't report them because it was able to determine they don't apply. I really need to confirm if this is the case.

    Is enhanced scanning at least as capable as the basic scanning? I was expecting enhanced scanning to be everything from a basic scan + some additional capability around language packages. What Mike_L is saying seems to be different. Enhanced scanning is an entirely different service, using a different DB from the basic scan, and the report could be missing relevant critical vulnerabilities that would be reported in the basic scan.

  • LMT
    vor 3 Monaten

    I would also like to get clarification on whether enhanced scanning is guaranteed to catch and report critical vulnerabilities, same as or similar to what, that the basic scan does.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt