Docker Scout - Issues with dotnet (.NET) versioning and CVEs (RHEL)

[amills157]

Docker Scout Version: 1.19.0

Dockerfile for image scanned:

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as runtime

# Install dotnet runtime
RUN microdnf install -y --setopt=tsflags=nodocs "aspnetcore-runtime-8.0"

This pulls down the latest dotnet release - https://github.com/dotnet/core/blob/main/release-notes/8.0/README.md

[root@c641bf7f359d /]# dotnet info
The command could not be loaded, possibly because:
  * You intended to execute a .NET application:
      The application 'info' does not exist.
  * You intended to execute a .NET SDK command:
      No .NET SDKs were found.

Download a .NET SDK:
https://aka.ms/dotnet/download

Learn about SDK resolution:
https://aka.ms/dotnet/sdk-not-found
[root@c641bf7f359d /]# dotnet --info

Host:
  Version:      8.0.23
  Architecture: x64
  Commit:       c96cd11cb2
  RID:          rhel.8-x64

.NET SDKs installed:
  No SDKs were found.

.NET runtimes installed:
  Microsoft.AspNetCore.App 8.0.23 [/usr/lib64/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 8.0.23 [/usr/lib64/dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
  None

Environment variables:
  DOTNET_ROOT       [/usr/lib64/dotnet]

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download
[root@c641bf7f359d /]# rpm -qa | grep dotnet
dotnet-host-10.0.2-1.el8_10.x86_64
dotnet-hostfxr-8.0-8.0.23-1.el8_10.x86_64
dotnet-runtime-8.0-8.0.23-1.el8_10.x86_64

However Docker Scout flags CVEs going as far back as 2024 linking them to the dotnet rpm package / runtime

cat test.json | grep CVE-2024-43484
              "id": "CVE-2024-43484",
                "text": "CVE-2024-43484: "
              "helpUri": "https://scout.docker.com/v/CVE-2024-43484?s=redhat&n=dotnet8.0&ns=redhat&t=rpm&osn=redhatlinux&osv=8&vr=%3C8.0.110-1.el8_10",
          "ruleId": "CVE-2024-43484",
            "text": "Vulnerability    :CVE-2024-43484                                                             \nSeverity         :HIGH                                                                       \nPackage          :pkg:rpm/redhat/dotnet8.0@8.0.23-1.el8_10?os_name=redhatlinux&os_version=8  \nAffected range   :<8.0.110-1.el8_10                                                          \nFixed version    :8.0.110-1.el8_10                                                           \nCVSS Score       :7.5                                                                        \nCVSS Vector      :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                               \nEPSS Score       :0.012100                                                                   \nEPSS Percentile  :0.785560  

The above CVE for example was fixed in 8.0.1 (dotnet/announcements#328)

Some of CVEs it seems to be incorrectly flagging

dotnet/announcements#337
dotnet/announcements#338
dotnet/announcements#348
dotnet/announcements#356
dotnet/announcements#295
dotnet/announcements#291
dotnet/announcements#296
dotnet/announcements#307
dotnet/announcements#315
dotnet/announcements#314
dotnet/announcements#326
dotnet/announcements#327
dotnet/announcements#328
dotnet/announcements#329