Hide Forgot
Description of problem: Did run the CVE scan of OpenSCAP tool on "cloudforms/cfme:latest" and it showed Vulnerabilities. Version-Release number of selected component (if applicable): Digest: sha256:85635d603cae8e0414765ff858afb6f7c678c715e3c32e0fe9709db281a081b3
Satoe, I would imagine that this is not relevant anymore ? Can you please verify ?
Checked the image with the reported sha. The first 2 (RHSA-2016:1944-01 and RHSA-2016:1940-01) are not problem on that image. The image has the RPMs with the CVE fixes already and I'm not sure why those CVEs are reported. The last one, RHSA-2016:1626-00, was indeed a problem. The CFME builds take the latest released RPMs from RHEL 7 repos. Since the CVE fix was released in August and CFME build was in October, I don't understand why the new RPM wasn't included. The repos have been updated since, and I will not be able to check if there was a problem with the repo at the time. Confirmed the latest image (5.7.0.13) has all reported fixes included.
Verified on CR2 docker image of cloudforms/cfme. All previously found missing CVEs are included now. OpenSCAP report is green.