- Newest
- Most votes
- Most comments
It seems according to the documentation that the event is sent by Inspector2 and not ECR with enhanced scanning
Event for an image scan finding update (enhanced scanning)
When enhanced scanning is turned on for your registry, the following event is sent by Amazon Inspector when the image scan finding is created, updated, or closed. For more information, see Enhanced scanning.
Event pattern:
{
"source": ["aws.inspector2"],
"detail-type": ["Inspector2 Finding"]
}
Finding Example:
{
"version": "0",
"id": "42dbea55-45ad-b2b4-87a8-afaEXAMPLE",
"detail-type": "Inspector2 Finding",
"source": "aws.inspector2",
"account": "123456789012",
"time": "2021-12-03T18:02:30Z",
"region": "us-east-2",
"resources": [
"arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample/sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77eEXAMPLE"
],
"detail": {
"awsAccountId": "123456789012",
"description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.",
"findingArn": "arn:aws:inspector2:us-east-2:123456789012:finding/be674aaddd0f75ac632055EXAMPLE",
"firstObservedAt": "Dec 3, 2021, 6:02:30 PM",
"inspectorScore": 6.5,
"inspectorScoreDetails": {
"adjustedCvss": {
"adjustments": [],
"cvssSource": "REDHAT_CVE",
"score": 6.5,
"scoreSource": "REDHAT_CVE",
"scoringVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"lastObservedAt": "Dec 3, 2021, 6:02:30 PM",
"packageVulnerabilityDetails": {
"cvss": [
{
"baseScore": 6.5,
"scoringVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"source": "REDHAT_CVE",
"version": "3.0"
},
{
"baseScore": 5.8,
"scoringVector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"source": "NVD",
"version": "2.0"
},
{
"baseScore": 8.1,
"scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"source": "NVD",
"version": "3.1"
}
],
"referenceUrls": [
"https://access.redhat.com/errata/RHSA-2020:3915"
],
"source": "REDHAT_CVE",
"sourceUrl": "https://access.redhat.com/security/cve/CVE-2019-17498",
"vendorCreatedAt": "Oct 16, 2019, 12:00:00 AM",
"vendorSeverity": "Moderate",
"vulnerabilityId": "CVE-2019-17498",
"vulnerablePackages": [
{
"arch": "X86_64",
"epoch": 0,
"name": "libssh2",
"packageManager": "OS",
"release": "12.amzn2.2",
"sourceLayerHash": "sha256:72d97abdfae3b3c933ff41e39779cc72853d7bd9dc1e4800c5294dEXAMPLE",
"version": "1.4.3"
}
]
},
"remediation": {
"recommendation": {
"text": "Update all packages in the vulnerable packages section to their latest versions."
}
},
"resources": [
{
"details": {
"awsEcrContainerImage": {
"architecture": "amd64",
"imageHash": "sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77e5EXAMPLE",
"imageTags": [
"latest"
],
"platform": "AMAZON_LINUX_2",
"pushedAt": "Dec 3, 2021, 6:02:13 PM",
"registry": "123456789012",
"repositoryName": "amazon/amazon-ecs-sample"
}
},
"id": "arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample/sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77EXAMPLE",
"partition": "N/A",
"region": "N/A",
"type": "AWS_ECR_CONTAINER_IMAGE"
}
],
"severity": "MEDIUM",
"status": "ACTIVE",
"title": "CVE-2019-17498 - libssh2",
"type": "PACKAGE_VULNERABILITY",
"updatedAt": "Dec 3, 2021, 6:02:30 PM"
}
}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html
Hi,
Did you notice
When enhanced scanning is turned on, Amazon ECR sends an event to EventBridge when
the scan frequency for a repository is changed. Amazon Inspector emits events to EventBridge
when an initial scan is completed and when an image scan finding is created, updated, or closed.
in https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html
If you look at this post detailling EventBridge integration https://devpress.csdn.net/cloudnative/62f3778f7e66823466186b5b.html, events are raised when a (new) vulnerability is found not when a scan (with already known vulnerabilities) is done.
I guess that this has to be confirmed by some tests: v1 of image (no vuln -> no event), v2 with vuln -> event, v3 with no vuln -> no event, v4 with vuln -> event.
Best,
Didier
Relevant content
- Accepted Answerasked 2 months ago
- asked 2 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- Why can't I view the EventBridge trigger in my Lambda function that my CloudFormation stack created?AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago