Amazon Inspector CVE in CVEList.txt not reported in the findings

Question

We have gitlab-ee:16.3.1-ee.0 in our private ECR, which has a few CVEs, including CVE-2023-7028.

The CVE is found in the Amazon Inspector rules list, and in the Inspector Vulnerability database search, but somehow Amazon Inspector does not report that CVE in the Findings. CVE not found

What should we do to make sure Inspector report such CVEs?

The CVE is found in the Amazon Inspector [rules list](https://s3.us-east-1.amazonaws.com/rules-engine.us-east-1/CVEList.txt), and in the [Inspector Vulnerability database search](https://console.aws.amazon.com/inspector/v2/home?#/vulnerability-database-search?vulnerabilityId=CVE-2023-7028), but somehow Amazon Inspector does not report that CVE in the Findings. ![CVE not found](/media/postImages/original/IM3vtY2z_zQXuBE45lOCHb1w)

What should we do to make sure Inspector report such CVEs?

Answer

When was the container in ECR scanned? Was the CV publised after the inial container image was scanned?

Do you have enhanced scanning enabled to continously scan images to pick up any new CVE's??
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html

Amazon Inspector CVE in CVEList.txt not reported in the findings

関連するコンテンツ