Skip to content
This repository has been archived by the owner on Jun 21, 2022. It is now read-only.

Are you considering checking language versions as well? #31

Open
forevermatt opened this issue Sep 4, 2019 · 1 comment
Open

Are you considering checking language versions as well? #31

forevermatt opened this issue Sep 4, 2019 · 1 comment

Comments

@forevermatt
Copy link

I really like how this (especially via Trivy) can be used to check for vulnerabilities about the OS and about installed packages (used by PHP, Node.JS, etc.).

Have you considered having it also check the version of the programming language(s) present?

For example, if the Docker container's PHP version is 7.0.0, that could report the CVE-2019-9020 vulnerability.

@jabielecki
Copy link
Contributor

"container's PHP version" or more generally "version of runtime of language X" can be obtained by the same means as any other software. It is not much different from http server for example.

  • For example if PHP7 was installed by .deb package, it is covered by this.
  • If it was installed by .rpm package, by some other relevant advisory.
  • If both above are false, but it was inherited from a well-known public docker-image, maybe all vulnerable image checksums can be somehow scraped? (quite interesting exploration here)
  • If it was directly compiled from source to binary, it would require some AI probably.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants