#94 git #101
Comments
|
git is used during the image build time, but it is removed from the runtime image ( https://github.com/PharmaLedger-IMI/fgt-workspace/blob/v0.9.7/docker/api/Dockerfile#L33 ) It has been removed since tag v0.9.6. The v0.9.7 is used for stage 4 testing. @bonfim-sanofi we find no git package in the runtime image. Is the analysis from a version before the v0.9.6 ? ( Issue #98 is in a similar situation. ) |
|
Considering the issue closed. There is no runtime git package on v0.9.6 and afterwards. |
The security scan was performed on commit fdd7c03 which is after tag v0.10.2. |
|
Hi @bonfim-sanofi ! The security scan does not specify which Dockerfile was analised. Unused dockerfiles were removed on a856314 |
From #94
List of Packages with HIGH CVEs
Packages detected
HIGH - HIGH - git
(RECURRENT) GHSA-6vvc-c2m3-cjf3: Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
... several other (omitted).
The text was updated successfully, but these errors were encountered: