By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amazon Inspector CVE in CVEList.txt not reported in the findings

0

We have gitlab-ee:16.3.1-ee.0 in our private ECR, which has a few CVEs, including CVE-2023-7028.

The CVE is found in the Amazon Inspector rules list, and in the Inspector Vulnerability database search, but somehow Amazon Inspector does not report that CVE in the Findings. CVE not found

What should we do to make sure Inspector report such CVEs?

Topics
ContainersSecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon Elastic Container Registry (ECR)Amazon InspectorSecurity
Language
English
Richard Kang
asked 3 months ago232 views
1 Answer
0

When was the container in ECR scanned? Was the CV publised after the inial container image was scanned?

Do you have enhanced scanning enabled to continously scan images to pick up any new CVE's?? https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html

profile picture
EXPERT
Gary Mclean
answered 3 months ago
  • Richard Kang
    3 months ago

    I have enhanced scanning configuration, and Lifetime ECR scanning to ensure continue automated re-scans, still the false negative in Inspector

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content