Not sure I understand the tag policies #4971
Replies: 3 comments
-
What version do you see emitted when you run |
Beta Was this translation helpful? Give feedback.
-
I'll give it a go - this is from a GitHub Action so I'll add that reporting in. |
Beta Was this translation helpful? Give feedback.
-
@MichaelSimons - I just tried it locally - and it does indeed pull the version that should have this fixed :
I think I made the assumption that Trivy Container scanning was... scanning the container. I'm going to check this container I just made to see if it still shows that CVE. |
Beta Was this translation helpful? Give feedback.
-
So - here's my understanding :
if I have a docker file that starts :
FROM mcr.microsoft.com/dotnet/sdk:6.0 as build
Then it will load the latest SDK:6.0 tagged image appropriate for my environment - so it should pick 6.0.24 - because the floating version tag fixes the major and minor - but not the patch level.
I scanned my container that I built - and it contained a vulnerability CVE-2023-35391 - which was fixed in 6.0.21 - which was released in August?
By my reckoning the CVE shouldn't be there?
Beta Was this translation helpful? Give feedback.
All reactions