Skip to content

fix: update snyk-docker-plugin to v8.15.1 #6405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
adrobuta wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: update snyk-docker-plugin to v8.15.1 #6405

adrobuta wants to merge 1 commit into from

Conversation

@adrobuta
Copy link
Contributor

@adrobuta adrobuta commented Dec 24, 2025

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages are release-note ready, emphasizing what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

Updates snyk-docker-plugin to v8.15.1 to fix false positive vulnerabilities reported for RHEL 10 container images.

Problem

Users scanning RHEL 10 images receive false positive vulnerability reports where the installed package version already contains the fix. Example:

✗ High severity vulnerability found in pam-libs
  Description: Directory Traversal
  Introduced through: pam-libs@1.6.1-8.el10
  Fixed in: 0:1.6.1-8.el10

The installed version (1.6.1-8.el10) and the fixed version (0:1.6.1-8.el10) are semantically identical—the 0: prefix is just the default epoch.

Root Cause

For RHEL 10, the vulnerability matching logic uses the source package information from the upstream PURL qualifier. The plugin was constructing this qualifier with only the version number (e.g., pam@1.6.1), omitting the release component (-8.el10). This caused version comparisons to fail because 1.6.1 is evaluated as older than 1.6.1-8.el10.

Solution

The snyk-docker-plugin v8.15.1 fix includes the full version with release component in the upstream qualifier (e.g., pam@1.6.1-8.el10), enabling accurate version matching.

Where should the reviewer start?

package.json — single dependency version update

How should this be manually tested?

# Build the CLI with the updated dependency
npm install && npm run build

# Scan a RHEL 10 image
./bin/snyk container test registry.access.redhat.com/ubi10/ubi-micro:latest

# Expected: No false positives where "Fixed in" matches installed version
# Before: 4 issues (including pam-libs, glibc false positives)
# After:  1 issue (only coreutils-single - confirmed by Red Hat)

What's the product update that needs to be communicated to CLI users?

Container Scanning: Fixed false positive vulnerabilities for Red Hat Enterprise Linux 10 images where packages were incorrectly reported as vulnerable despite already being patched.

Risk Assessment

Low

  • Dependency version bump only
  • Reduces false positives without impacting true positive detection
  • Covered by existing tests in snyk-docker-plugin

Any background context you want to provide?

What are the relevant tickets?

@adrobuta adrobuta requested review from a team as code owners December 24, 2025 16:15
@adrobuta
fix: update snyk-docker-plugin to v8.15.1
317c518 
Resolves false positive vulnerabilities for RHEL 10 container images
where the installed package version matches the fixed version
(e.g., pam-libs@1.6.1-8.el10 reported vulnerable, fixed in 0:1.6.1-8.el10).
@adrobuta adrobuta force-pushed the fix/container-rpm-purl branch from 881bd73 to 317c518 Compare December 24, 2025 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adrobuta