From 1c2a63ec9131f9c91cf8b5938b303e1e3d69aa42 Mon Sep 17 00:00:00 2001 From: James Healy Date: Thu, 29 Aug 2024 13:50:54 +1000 Subject: [PATCH] Ignore CVE-2024-37371 and CVE-2024-37370 in docker image These CVEs are in krb5, a library that handles kerbeos authentication. We don't any kerbeos in production, but also the issues are fixed in 1.20.1-2+deb12u2 which is available in the debian repos and the docker build logs show is being installed. This seems to be a false positive by ECR --- .buildkite/ecr-scan-results-ignore.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.buildkite/ecr-scan-results-ignore.yml b/.buildkite/ecr-scan-results-ignore.yml index 4293ef3e1a..c040a9c43d 100644 --- a/.buildkite/ecr-scan-results-ignore.yml +++ b/.buildkite/ecr-scan-results-ignore.yml @@ -18,4 +18,6 @@ ignores: - id: CVE-2024-0567 # gnutls28 3.7.9-2+deb12u1 - id: CVE-2023-50387 # systemd 252.17-1~deb12u1 - id: CVE-2024-0553 # gnutls28 3.7.9-2 - - id: CVE-2024-0567 # gnutls28 3.7.9-2+deb12u1 \ No newline at end of file + - id: CVE-2024-0567 # gnutls28 3.7.9-2+deb12u1 + - id: CVE-2024-37371 # krb5 1.20.1-2+deb12u1 + - id: CVE-2024-37370 # krb5 1.20.1-2+deb12u1