Skip to main content

Addressing Container CVEs

Our container image repositories include a GitHub Actions workflow that scans for Common Vulnerabilities and Exposures (CVEs). This workflow runs when a pull request is created, and also on a schedule. It only identifies CVEs classified as HIGH or CRITICAL for which a fix is available.

The two options for addressing an identified vulnerability are to fix it or skip it. The decision depends on the origin of the CVE, which could be the operating system, a system package, a library or a third party binary.

Our priority should be to fix it, and we should only skip it when we cannot fix it.

An example of something we could skip is when using the latest available binary from a third party. At the time of writing this documentation, the latest version of Cloud Platform’s CLI (1.40.1) which we bundle in Analytical Platform Cloud Development Environment Base has the following CVEs.

usr/local/bin/cloud-platform (gobinary)
=======================================
Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.19.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                     │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2024-45338 │ HIGH     │        │ v0.21.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of           │
│                     │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html      │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338             │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘
This page was last reviewed on 10 March 2025. It needs to be reviewed again on 10 June 2025 by the page owner #analytical-platform-notifications .