Apologies if this is a rookie question, but I keep wondering what the vulnerabilities section on DockerHub is trying to tell me. Take nextcloud images for instance: The most current images seem to list 3 critical and 22 severe vulnerabilities. Does that mean those vulns are part of the image? If so, why would anyone want to run this?
Many exploits and vulnerabilities are not relevant within the scope the software is typically deployed, so remain unfixed for a long time, even if they are rated high severity.
Thank you! While that does allay most security concerns, it does beg the question how useful such a vulnerability tracker is if it doesn’t actually show any relevant vulnerabilies and you constantly have to second-guess what it says. Warning signs that aren’t actually warnings because it’s “just a false alarm” quickly teach personell to not take warnings seriously - unti, onel day, it’s not a false alarm…
I don’t know if I agree. I get it, but it’s kind of important that people know that if they do something weird with a piece of software, that it might expose them to remote code execution or root shell exploits. It certainly does make you numb to the word “critical”, but I don’t have a solution to that.