Security Advisories
Keeping up with vulnerability reports for your images
Minimus publishes security advisories for vulnerabilities affecting packages used in Minimus images. The information complements the vulnerability report provided for every image version.
Select Advisories from the left menu to visit the list of advisories published for Minimus images (or use the direct link).
Overview
Before you dive into the details, the top of the advisories page shows helpful metrics about the advisories published for Minimus images:
- Total number of vulnerabilities published in the past 7 days
- Total number of vulnerabilities published in the past year that are currently labeled as active exploits (meaning they are on the CISA KEV list)
- Total number of vulnerabilities published in the past year that are currently labeled as likely to be exploited (meaning they have a high EPSS probability score)
- Total number of critical severity vulnerabilities published over the past year
Advisories Table
A CVE advisory is published for every affected origin package. The advisories table shows the following information:
- CVE ID or GitHub security advisory ID
- Origin package affected by the vulnerability. (Note that the vulnerability report for a specific image version details the secondary packages.)
- Severity as determined by NVD (CVSS score, where the most recent CVSS vector is shown). Learn more
- Exploitability label. Learn more
- Status
- Date published
- First detection
- Last updated
Drill down on a security advisory
Click on an advisory in the table to view its detailed listing. The advisory shows general information about the vulnerability alongside detailed information for all affected packages and their status history. Learn more
Filtering, searching, and sorting advisories
Filtering options - To help you identify the relevant information quickly, you can filter the advisories list by status, severity, exploitability, date published, last update, and first detection. The filters are friendly UI elements, and do not require complex syntax.
Search options - You can also search advisories by a CVE ID or package name, and combine your search terms with filtering criteria.
Sorting options - You may sort the advisories by their severity and last update.
Advisory statuses
| Status | Description |
|---|---|
| Under review | Minimus is following up on the vulnerability report to confirm the report and determine if the vulnerable code affects the package. |
| Affected | The vulnerability was confirmed by the Minimus team to be affecting the package. |
| Unaffected | The vulnerability was determined to be a false-positive by Minimus. Reasoning is provided in a note. |
| Pending upstream fix | Minimus is waiting for the source repo to publish a fix for the package. The image will be patched as soon as the fix becomes available. |
| Fixed | A patch was applied to remediate the vulnerability. |
| Fix not planned | Usually a fix is not planned for package versions that have reached their end of life (EOL). Reasoning is provided in a note. |