Minimus publishes security advisories for vulnerabilities affecting Minimus images and their dependencies. The information complements the vulnerability report provided for every image version. Select Advisories from the left menu to visit the list of advisories published for Minimus images (or use the direct link).
Affected images only refer to production images. Developement image variants (for example, an image tagged latest-dev) are excluded by default.Refer to version-specific vulnerability reports for information about vulnerabilities affecting development images. Learn more

Overview

Before you dive into the details, the advisories page top section shows helpful metrics about the advisories published for Minimus images:
  • Total number of new vulnerabilities detected in the past 7 days in Minimus images
  • Total number of vulnerabilities detected over the past year in Minimus images that are currently known as active exploits (i.e. they are on the CISA KEV list)
  • Total number of vulnerabilities detected over the past year in Minimus images that are currently labeled as likely exploits (i.e. they have a high EPSS probability score and are likely targets for exploitation).
  • Total number of critical severity vulnerabilities detected over the past year in Minimus images.

Advisories table

An advisory is published for every affected origin package. Every advisory lists all affected images and their respective fixed version information. Minimus Advisories Page The advisories table shows the following:
  • CVE ID or GitHub security advisory ID
  • Origin package affected by the vulnerability. Note that affected secondary packages are detailed in the vulnerability report for specific image versions.
  • Affected images (Filtered by default by production images. Excludes dev images, for example latest-dev.)
  • Severity as determined by NVD (CVSS score, where the most recent CVSS vector is shown). Learn more
  • Exploitability Learn more
  • Status
  • Date published
  • First detection
  • Last updated

Drill down on a security advisory

Click on an advisory in the table to view its detailed listing. The advisory shows general information about the vulnerability alongside detailed information listing all affected images, by origin package, and the status history. Learn more

Filtering, searching, and sorting advisories

  1. Filtering options To help you identify the relevant information quickly, you can filter the advisories list by affected images, severity, exploitability, and status. The filters are friendly UI elements, and do not require complex syntax.
  2. Search options You can search the advisories by a full or partial vulnerability ID and/or a package and image name. You can of course combine search terms with filtering criteria.
  3. Sorting options You may sort the advisories by their severity and last update.

Advisory status

StatusDescription
Under reviewMinimus is following up on the vulnerability report to confirm the report and determine if the vulnerable code affects the package.
AffectedThe vulnerability was confirmed by the Minimus team to be affecting the package.
UnaffectedThe vulnerability was determined to be a false-positive by Minimus. Reasoning is provided in a note.
Pending upstream fixMinimus is waiting for the source repo to publish a fix for the package. The image will be patched as soon as the fix becomes available.
FixedA patch was applied to remediate the vulnerability.
Fix not plannedUsually a fix is not planned for package versions that have reached their end of life (EOL). Reasoning is provided in a note.