The default Xray scan of this package should reveal over 500 CVEs, as this package has many dependencies with known vulnerabilities. Xray is able to detect these, and we will focus on two CVEs from the original blog: CVE-2013-7285 (Applicable) and CVE-2022-21724 (Not applicable).
The "Advanced Scan" option should be available if JAS is installed and running correctly. You need to initiate an Advanced Scan after reviewing the original Xray results.
You can use the filter item to locate each CVE and review their details. In particular, note the "Impact Paths" chart to see where Xray found the vulnerability within the image layers:
CVE-2013-7285
The blog goes into more detail about why exactly this CVE is applicable, and it should appear with these menu items after Xray and JAS have completed their scans.
As described in the blog, the Postgres issue that Xray initially detected in the JDBC driver doesn't apply to the image because the vulnerable function isn't ever called.
There should be similar findings for the rest of the ~500 security vulnerabilities, more than half of the "Critical" CVEs shouldn't apply:
The "Advanced Scan" option should be available if JAS is installed and running correctly. You need to initiate an Advanced Scan after reviewing the original Xray results.
You can use the filter item to locate each CVE and review their details. In particular, note the "Impact Paths" chart to see where Xray found the vulnerability within the image layers:
CVE-2013-7285
The blog goes into more detail about why exactly this CVE is applicable, and it should appear with these menu items after Xray and JAS have completed their scans.
CVE-2022-21724
As described in the blog, the Postgres issue that Xray initially detected in the JDBC driver doesn't apply to the image because the vulnerable function isn't ever called.
There should be similar findings for the rest of the ~500 security vulnerabilities, more than half of the "Critical" CVEs shouldn't apply: