Hi Tomas,
Remediation of CVEs is part of an ongoing effort in DV 1.7.x (CP4D 4.0.x). The same is not available for DV 1.5 that you have asked about, and nor are updates for DV 1.5 being provided. All customers still using DV versions prior to DV 1.7.x/CP4D 4.0.x are urged to upgrade to DV on CP4D 4.0.x to benefit from the remediation effort and fixes.
With regard to your question, whether they are legitimate or false positives, there is a significant change between DV 1.5 and 1.7 that makes comparison of any list of CVEs difficult. So it is hard to say unless referring to a specific CVE, whether it was analyzed as legitimate or false positive, or if there is a fix already delivered in DV 1.7.x.
Hope this answers your question.
------------------------------
Shantanu Mundkur
------------------------------
Original Message:
Sent: Fri December 03, 2021 05:50 PM
From: Tomas Carlos Otaño
Subject: Repository: cloudpak4data/dv-engine |Findings in Security Vulnerability Scans
We have installed Defender Agent and deployed Prisma Cloud in a couple of clusters with CP4data and there are a lot of records that suggest it might be vulnerabilities in several packages. Is anyone aware of this or has walked through this concern ? Is there any chance of probe which are legitimate or false positives ? Thanks !
Detail:
Registry: image-registry.openshift-image-registry.svc:5000
Repository: cloudpak4data/dv-engine
Tag: v1.5.0.0-234
------------------------------
Tomas Carlos Otaño
------------------------------
#CloudPakforDataGroup