docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17207 from ChrisChinchilla/chrisward/scout-combine 

Move Scout package ecosystem section
This commit is contained in:
Chris Chinchilla 2023-05-09 11:24:23 +02:00 committed by GitHub
parent 0db4897fbd 3cbe3f2139
commit 730d8cbccc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
scout/advanced-image-analysis.md
View File

@ -19,21 +19,6 @@ exposures (CVEs) for the image in the **Tags** section. The **Tags** tab shows a
The **Images** section of Docker Desktop shows an overview of CVEs for an image and the details view shows all vulnerabilities.
Advanced image analysis supports the following package ecosystems:
- .NET
- GitHub packages
- Go
- Java
- JavaScript
- PHP
- Python
- RPM
- Ruby
- `alpm` (Arch Linux)
- `apk` (Alpine Linux)
- `deb` (Debian Linux and derivatives)
## Activate Advanced image analysis
Advanced image analysis is an early access feature and activated on a

22
scout/advisory-db-sources.md
View File

@ -1,6 +1,6 @@
---
description: More details on the Docker Scout Advisory Database and CVE-to-package matching service.
keywords: scanning, vulnerabilities, Hub, supply chain, security
keywords: scanning, analysis, vulnerabilities, Hub, supply chain, security
title: Advisory Database sources and matching service
---
@ -61,7 +61,7 @@ images that Docker Scout can then match to CVEs. Find more details on how this
works in the [Advanced image analysis
document](http://./advanced-image-analysis.md).
Docker Scout is ideal for scanning images in Docker Desktop and Docker Hub, but
Docker Scout is ideal for analyzing images in Docker Desktop and Docker Hub, but
the flexibility of the approach also means it can integrate with other image
sources, for example, [JFrog
Artifactory](https://docs.docker.com/scout/artifactory/).
@ -73,7 +73,6 @@ Many other tools use fuzzy [Common Product Enumeration
wild cards to known vulnerabilities with the versions of software packages they affect.
This can return a lot of false positives which you need to triage.
The typical structure of a CPE match looks like this:
```
@ -103,3 +102,20 @@ system versions to make more precise matches.
In summary, Docker Scouts technique improves matching accuracy and reduces the
number of results that turn out to be false-positives.
## Package ecosystems supported by the Docker Scout Advisory Database
By sourcing vulnerability data from the providers above, Docker Scout is able to support analyzing the following package ecosystems:
- .NET
- GitHub packages
- Go
- Java
- JavaScript
- PHP
- Python
- RPM
- Ruby
- `alpm` (Arch Linux)
- `apk` (Alpine Linux)
- `deb` (Debian Linux and derivatives)