Hi Jim,
as was already said, the CVE fix already shipped (I guess your mail was
stuck in some moderation queue?) and the image rebuilt to incorporate
the fix.
So just for the record - the grade of the image only gets dropped when
the CVE is actually fixed in the specific RHEL or RHSCL version and will
drop lower the longer it takes to rebuild the image to add the CVE fix
in. If there is a known vulnerability but the fix for it is not yet
shipped, then the images will stay in grade A.
HTH,
Petr
On 2/8/21 10:08 PM, Jim Knochelmann wrote:
Hello,
I am interested in a version bump to image
https://catalog.redhat.com/software/containers/ubi8/nodejs-14/5ed7887dd70cc50e69c2fabb
<https://catalog.redhat.com/software/containers/ubi8/nodejs-14/5ed7887dd70cc50e69c2fabb>
.
There seems to be a discrepancy between the "security" tab, which is
reporting a health index of "A" with no problems, and Red Hat's
security info for nodejs 14 on RHEL 8:
https://access.redhat.com/security/cve/CVE-2020-8277
<https://access.redhat.com/security/cve/CVE-2020-8277> which shows
that CVE-2020-8277 has not yet been fixed. Is CVE-2020-8277 a
security concern? It is possible that I am just interpreting the
reports incorrectly.
If you are available on IBM slack, I am up at @JimKnochelmann .
Thank you,
Jim Knochelmann
Software Engineer
IBM Watson - Natural Language Understanding
+1 (720) 515-4454
jim.knochelm...@ibm.com
_______________________________________________
SCLorg mailing list
SCLorg@redhat.com
https://listman.redhat.com/mailman/listinfo/sclorg
_______________________________________________
SCLorg mailing list
SCLorg@redhat.com
https://listman.redhat.com/mailman/listinfo/sclorg