Question regarding a vulnerability (CVE-2023-45288), vuln scans & results publishing

[juanibuqt]

Hello team,

I am writing to you because of the following:

Reviewing past vulnerabilities found in Kaniko, I encountered the Platform One log for hardened containers, and there is a Kaniko repo there as well:

Overview - Iron Bank

Iron Bank Containers / Opensource / Kaniko / Kaniko - GitLab

Iron Bank Containers / dccscr - GitLab

Now, checking their pipeline (they use some tools, like anchore-scan, openscap-compliance and twistlock-scan)
(https://repo1.dso.mil/dsop/opensource/kaniko/kaniko/-/pipelines/3142932)
I noticed that in their last scan, a vulnerability was found:

twistlock-scan (#33588235) - Jobs - Iron Bank Containers / Opensource / Kaniko / Kaniko - GitLab (CVE-2023-45288 - Moderate)

I understand that the scanned version in this repo, is kaniko:v1.22.0, which is the latest released version (Release 2024-03-26) Release v1.22.0 Release - GoogleContainerTools/kaniko

Questions:

1. Are you already aware of this vulnerability?
2. Is it possible to check the results of your vulnerability scans, which are done every night with anchore-grype? This could be a good complement (I noticed that the results are shown in a txt file, but I couldn't find the results in this repository).

Thank you!

[juanibuqt]

Hi, any update about this? Ty!