Detected some vulnerabilities on the securecompliance/gvm docker image

I am using the Docker image https://hub.docker.com/r/securecompliance/gvm and trivy to scan it

I am getting those vulnerabilities:

agent_1 | localhost:gvm (alpine 3.14.0)
agent_1 | =============================
agent_1 | Total: 0 (HIGH: 0, CRITICAL: 0)
agent_1 |
agent_1 |
agent_1 | usr/share/texmf-dist/scripts/latex2nemeth/latex2nemeth-v1.0.2.jar (jar)
agent_1 | =======================================================================
agent_1 | Total: 2 (HIGH: 1, CRITICAL: 1)
agent_1 |
agent_1 | ±----------------------------------------±-----------------±---------±------------------±--------------+
agent_1 | | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
agent_1 | ±----------------------------------------±-----------------±---------±------------------±--------------+
agent_1 | | org.apache.commons:commons-collections4 | CVE-2015-7501 | CRITICAL | 4.0 | 4.1 |
agent_1 | + ±-----------------±---------+ + +
agent_1 | | | CVE-2015-6420 | HIGH | | |
agent_1 | ±----------------------------------------±-----------------±---------±------------------±--------------+
agent_1 |
agent_1 | usr/share/texmf-dist/scripts/texplate/texplate.jar (jar)
agent_1 | ========================================================
agent_1 | Total: 1 (HIGH: 1, CRITICAL: 0)
agent_1 |
agent_1 | ±-----------------------------------------±-----------------±---------±------------------±--------------+
agent_1 | | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
agent_1 | ±-----------------------------------------±-----------------±---------±------------------±--------------+
agent_1 | | org.apache.velocity:velocity-engine-core | CVE-2020-13936 | HIGH | 2.2 | 2.3 |
agent_1 | ±-----------------------------------------±-----------------±---------±------------------±--------------+

Is that the right place to talk about that?

As those are packages provided in the base image and not by GVM the right place should be:

1 Like