Home Explore Blog Models CI



docker
8th chunk of `_vendor/github.com/docker/scout-cli/docs/scout_cves.md`
950eb1f47a43f4c29199ca72394e55b9ace7dc2a67ed99ec0000000100000c9b
   https://scout.docker.com/v/CVE-2023-52425
   Affected range  : >=2.5.0-1
   Fixed version   : not fixed
   EPSS Score      : 0.000510
   EPSS Percentile : 0.173680
```

- `EPSS Score` is a floating point number between 0 and 1 representing the probability of exploitation in the wild in the next 30 days (following score publication).
- `EPSS Percentile` is the percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score.

You can use the `--epss-score` and `--epss-percentile` flags to filter the output
of `docker scout cves` based on these scores. For example,
to only show vulnerabilities with an EPSS score higher than 0.5:

```console
$ docker scout cves --epss --epss-score 0.5 nginx
 ✓ SBOM of image already cached, 232 packages indexed
 ✓ EPSS scores for 2024-03-01 already cached
 ✗ Detected 1 vulnerable package with 1 vulnerability

...

 ✗ LOW CVE-2023-44487
   https://scout.docker.com/v/CVE-2023-44487
   Affected range  : >=1.22.1-9
   Fixed version   : not fixed
   EPSS Score      : 0.705850
   EPSS Percentile : 0.979410
```

EPSS scores are updated on a daily basis.
By default, the latest available score is displayed.
You can use the `--epss-date` flag to manually specify a date
in the format `yyyy-mm-dd` for fetching EPSS scores.

```console
$ docker scout cves --epss --epss-date 2024-01-02 nginx
```

### List vulnerabilities from an SPDX file

The following example shows how to generate a list of vulnerabilities from an SPDX file using `syft`.

```console
$ syft -o spdx-json alpine:3.16.1 | docker scout cves sbom://
 ✔ Pulled image
 ✔ Loaded image                                                                                                                              alpine:3.16.1
 ✔ Parsed image                                                                    sha256:3d81c46cd8756ddb6db9ec36fa06a6fb71c287fb265232ba516739dc67a5f07d
 ✔ Cataloged contents                                                                     274a317d88b54f9e67799244a1250cad3fe7080f45249fa9167d1f871218d35f
   ├── ✔ Packages                        [14 packages]
   ├── ✔ File digests                    [75 files]
   ├── ✔ File metadata                   [75 locations]
   └── ✔ Executables                     [16 executables]
    ✗ Detected 2 vulnerable packages with a total of 11 vulnerabilities


## Overview

                    │        Analyzed SBOM
────────────────────┼──────────────────────────────
  Target            │ <stdin>
    digest          │  274a317d88b5
    platform        │ linux/arm64
    vulnerabilities │    1C     2H     8M     0L
    packages        │ 15


## Packages and Vulnerabilities

   1C     0H     0M     0L  zlib 1.2.12-r1
pkg:apk/alpine/zlib@1.2.12-r1?arch=aarch64&distro=alpine-3.16.1

    ✗ CRITICAL CVE-2022-37434
      https://scout.docker.com/v/CVE-2022-37434
      Affected range : <1.2.12-r2
      Fixed version  : 1.2.12-r2

    ...

11 vulnerabilities found in 2 packages
  CRITICAL  1
  HIGH      2
  MEDIUM    8
  LOW       0
```
Title: Filtering Vulnerabilities by EPSS and Scanning SPDX Files with `docker scout cves`
Summary
This section details how to filter vulnerability reports based on EPSS scores and percentiles using `docker scout cves` with the `--epss-score` and `--epss-percentile` flags. It also explains how to specify an EPSS date with the `--epss-date` flag. Additionally, it illustrates how to generate a list of vulnerabilities from an SPDX file using `syft` and `docker scout cves`.