Reputation: 1
Building a docker image with docker command and with buildx plugin, but getting CVE error CVE-2024-41110
I am trying to build a docker image that runs my CI/CD pipeline.
The image will contain docker because I need to build images using the pipeline.
I use jfrog docker scan to scan image.
Now, I try to make it simple by just
COPY from=docker.io/docker:26 /usr/local/bin/docker /usr/local/bin
This won't give me any CVE errors, even the version is 26.1.4.
However, if I want to include the buildx as well:
COPY from=docker.io/docker:26 /usr/local/libexec/docker/cli-plugins:docker-buildx /usr/local/libexec/docker/cli-plugins
Then when I jfrog it it gives me CVE-2024-41110. I tried to use specific tag 27.1.1 that says having the issue resolved I still get stuck.
I know CVE-2024-41110 has mediation (by disabling authz plugin in /etc/docker/daemon.json) but I need to get a clean pass for the jfrog scan. Not sure what to do. Any hints?
Tried docker:27.1.1 but no use. I found that even I just had this line: COPY from=docker.io/docker:26 /usr/local/libexec/docker/cli-plugins:docker-buildx /usr/local/libexec/docker/cli-plugins
I would get CVE in jfrog scan. Just having COPY from=docker.io/docker:26 /usr/local/bin/docker /usr/local/bin alone is actually fine (no CVE in the scan result, and plus, it's 26.1.4 even)
Upvotes: 0
Views: 90
Answers (0)
Related Questions
- COPY with docker but with exclusion
- What is the difference between a Docker image and a container?
- How to start a stopped Docker container with a different command?
- Docker Buildx Cannot Pull From Local for Inherited Image
- docker cross-compilation - missing platforms in buildx
- Build multi architecture image using docker/buildx in Azure DevOps pipeline
- docker repo resolving error during image build ERROR (check repositories file)