Trivy scan on this project image is showing critical vulnerabilities

[austinsonger]

Discussed in #240

^{Originally posted by MarcosSarzi-Neo July 26, 2021}
I am executing some tests using this image from docker and I am getting some critical vulnerabilities from it, where should I ask for help?

localhost:gvm (alpine 3.14.0)
agent_1  | =============================
agent_1  | Total: 0 (HIGH: 0, CRITICAL: 0)
agent_1  | 
agent_1  | 
agent_1  | usr/share/texmf-dist/scripts/latex2nemeth/latex2nemeth-v1.0.2.jar (jar)
agent_1  | =======================================================================
agent_1  | Total: 2 (HIGH: 1, CRITICAL: 1)
agent_1  | 
agent_1  | +-----------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | |                 LIBRARY                                        | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
agent_1  | +-----------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | | org.apache.commons:commons-collections4 | CVE-2015-7501    | CRITICAL |               4.0 |           4.1 |
agent_1  | +                                                                             +------------------+----------+                    +                +
agent_1  | |                                                                               | CVE-2015-6420    | HIGH       |                      |                 |
agent_1  | +-----------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | 
agent_1  | usr/share/texmf-dist/scripts/texplate/texplate.jar (jar)
agent_1  | ========================================================
agent_1  | Total: 1 (HIGH: 1, CRITICAL: 0)
agent_1  | 
agent_1  | +------------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | |                 LIBRARY                  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
agent_1  | +------------------------------------------+------------------+----------+-------------------+---------------+
agent_1  | | org.apache.velocity:velocity-engine-core | CVE-2020-13936   | HIGH     |               2.2 |           2.3 |
agent_1  | +------------------------------------------+------------------+----------+-------------------+---------------+

[MarcosSarzi-Neo]

my one is showing the same.

[Dexus]

my one is showing the same.

this was your report in the discussion. ;)

https://git.alpinelinux.org/aports/tree/community/texmf-dist/APKBUILD there is the package and the author details.

You can open an Issue at https://gitlab.alpinelinux.org/alpine/aports/-/issues

I'm currently not on the correct system to do it, so if someone of you has time to doit feel free.

[Dexus]

I open the Issue: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12874

[Dexus]

texplate - will released in the next days to cpan.org, so we need to wait for the other distros to use the new version