Security Advisories
Keeping up with vulnerability reports for your images
Minimus publishes security advisories for vulnerabilities affecting packages used in Minimus images. The information complements the vulnerability report provided for every image version.
Overview
Select Advisories from the left menu to visit the list (direct link). Before you dive into the details, you will see helpful metrics about the advisories published for Minimus images:
- Total number of vulnerabilities published in the past 7 days
- Total number of vulnerabilities with an active or likely exploit detected over the past year
- Total number of critical severity vulnerabilities detected over the past year
Advisory Table
A CVE advisory is published for every affected package. The table lists all advisories for CVE-affected package pairs.
Information provided in the table:
- CVE ID or GitHub security advisory ID
- Origin package affected by the vulnerability. (Note that version-specific vulnerability reports detail the secondary packages and their affected versions.)
- Severity as determined by NVD (CVSS score). The latest possible CVSS vector is shown. Learn more
- Exploitability label.
- Status
- Date published
- First detection
- Last update
Drill down on a security advisory
Click on an advisory in the table to view its detailed listing. The advisory shows general information about the vulnerability alongside detailed information for all affected packages and their status history. Learn more
Filtering, searching, and sorting advisories
Filtering options - To help you identify the relevant information quickly, you can filter the advisories list by status, severity, exploitability, date published, last update, and first detection. The filters are friendly UI elements, and do not require complex syntax.
Search options - You can also search advisories by a CVE ID or package name, and combine your search terms with filtering criteria.
Sorting options - You may sort the advisories by their severity and last update.
Advisory statuses
| Status | Description |
|---|---|
| Under review | Minimus is following up on the vulnerability report to confirm the report and determine if the vulnerable code affects the package. |
| Affected | The vulnerability was confirmed by the Minimus team to be affecting the package. |
| Unaffected | The vulnerability was determined to be a false-positive by Minimus. Reasoning is provided in a note. |
| Pending upstream fix | Minimus is waiting for the source repo to publish a fix for the package. The image will be patched as soon as the fix becomes available. |
| Fixed | A patch was applied to remediate the vulnerability. |
| Fix not planned | Usually a fix is not planned for package versions that have reached their end of life (EOL). Reasoning is provided in a note. |