scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard
verified publisher icon docker

missing CVE data

Open mcandre opened this issue 3 months ago • 2 comments

Docker Scout treats images vulnerable to CVE-2025-11579 as having a clean bill of health with no CVE's.

Whereas Snyk Container identifies this, and other CVE's in the Snyk Vulnerability Database.

https://www.cve.org/CVERecord?id=CVE-2025-11579

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMNWAPLESRARDECODEV2-13537508

Can we please sync more data between the Docker Scout and Snyk databases? As a developer, it's confusing to see mutually exclusive security reports. Very, very, very often, Docker Scout and Snyk report completely different sets of CVE's.

mcandre avatar Oct 29 '25 20:10 mcandre

@mcandre, thanks for raising this. Scout has the same CVE as Snyk at https://scout.docker.com/vulnerabilities/id/CVE-2025-11579. Could you point me at an image where Scout is not reporting this CVE but Snyk is? Thanks.

cdupuis avatar Oct 29 '25 20:10 cdupuis

Interesting.

I saw the gap appear in several different places:

  • go.mod
  • go.sum
  • vendor from go mod vendor
  • Go executables built with rardecode dependencies
  • fs://. with the above, such as a git repository clone

Docker Scout has ample SBOM files on both inages and hosts to trigger a finding, but it never does.

The image and host directory tree involved are enterprise projects.

mcandre avatar Oct 29 '25 20:10 mcandre