The Difference

The Difference

Jose Maria Pulgar (PMP - ITIL - AGIL - CISA - CCSK) Jose Maria Pulgar (PMP - ITIL - AGIL - CISA - CCSK)

Jose Maria Pulgar (PMP - ITIL - AGIL - CISA - CCSK)

CEO DocExploit

发布日期: 2023年11月19日
+ 关注

Last week I posted that we have a vulnerability search engine that was superior to the competition. Those who already know DocExploit products did not doubt it, but a person who works on a product of our competition wrote to me and told me that if this is the case, we could show the results.

So said and done, I'm going to leave you with a CVE statistic on the following Docker image : Date: 06/11/23 Docker Pull Redhat/UBI9:9.2

Hash:20CEF057605E396D5EBEA057DCF2BD7702CB3AD13682E7B8E801ED18227CB779

Distro info:

{BUG_REPORT_URL=https://bugzilla.redhat.com/, REDHAT_BUGZILLA_PRODUCT_VERSION=9.2, PRETTY_NAME=Red Hat Enterprise Linux 9.2 (Plow), LOGO=fedora-logo-icon, REDHAT_BUGZILLA_PRODUCT=Red Hat Enterprise Linux 9, CPE_NAME=cpe:/o:redhat:enterprise_linux:9::baseos, NAME=Red Hat Enterprise Linux, VERSION_ID=9.2, HOME_URL=https://www.redhat.com/, PLATFORM_ID=platform:el9, ID_LIKE=fedora,? REDHAT_SUPPORT_PRODUCT_VERSION=9.2, VERSION=9.2 (Plow), ID=rhel, ANSI_COLOR=0; 31, REDHAT_SUPPORT_PRODUCT=Red Hat Enterprise Linux, DOCUMENTATION_URL=https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9}

?Engines compared, Grype (0.72), Google Artifact Analysis (6/11/2023), Docker Scout (v1.0.9) and Snyk (v1.1238.0)

(Note, the order from 1 to 4 does not correspond to the named order of the products)

领英推荐

It should be noted that there is a package that distorts the data a bit since it already has 158 CVEs associated with it, it is the vim-minimal package 8.2.2637, all engines locate it. If we look at this package of analysis, it would look like this

All this without taking into account that there are a series of executables since we would have to add 8 medium type vulnerabilities, 17 high type and 11 critical ones that also do not discover what would increase our differential with respect to the competition?

For all those who have not tried the tool, I invite you to take the test as everyone is surprised, not only by the level of accuracy, but by how fast we are able to scan an image.

Another day I will give you the statistical data of false positives generated by the tools, today I just wanted to show you what worries me the most, vulnerabilities that other engines are not able to locate and that can be used to attack our environment.

要查看或添加评论,请登录

Jose Maria Pulgar (PMP - ITIL - AGIL - CISA - CCSK)的更多文章

社区洞察

其他会员也浏览了