EJBCA community container: Trivy reports High CVEs

[WilliamM7]

Hi all,

we’re evaluating the EJBCA community container and Trivy reports persistent Critical/High vulnerabilities. Since we don’t build this image ourselves, we’re trying to understand whether these are false positives due to backports or if a new image is planned.

Questions:

1. Are these true positives, or are the listed packages backported/fixed in the base OS (version unchanged)?
2. Is there a patched tag/digest you recommend, or a release plan to address these CVEs?
3. For vulnerability status, should we primarily rely on your advisories/distro trackers, or is NVD sufficient for EJBCA images?
4. Do you publish an SBOM or image signatures/attestations we can verify?

Image: keyfactor/ejbca-ce:9.1.1

[primetomas]

• We supply container SBOMs here.
• You can find the EJBCA SBOM here.
• EJBCA publishes CVEs.

CVE scans always comes with work for the person who scans, while the base image is updated for each feature release, you need to do some work, such as checking that you don't use any freeips based services on the EJBCA container (it doesn't in any way), kerberos is not configured or used, or that EJBCA is java based and openssl is not used. There are other factors when you read the details of CVEs most of the time making them not relevant. So yes unfortunately scans will (almost) always give false positives and it is some work to look at them and mark as not affected. We put them out when we can and need to, but there are constantly new ones which are almost always not affecting.

(CVE assessment does come as a kind of service with Enterprise SLA).