Team
What happened?
The current latest octopusdeploy/tentacle:9.1.3772 Docker image bundles NuGet packages with known CVEs inside the Tentacle binary (/opt/octopus/tentacle/Tentacle.deps.json). These are compile-time dependencies that consumers of the image cannot patch via OS-level updates, apt-get upgrade, or any other post-build remediation.
Azure Defender for Cloud flags these vulnerabilities during container registry scanning. Some date back to 2017.
Expected: Container images published to Docker Hub should not contain NuGet packages with known, fixable CVEs.
Reproduction
- Pull
octopusdeploy/tentacle:9.1.3772
- Inspect
/opt/octopus/tentacle/Tentacle.deps.json for the package versions listed above
- Cross-reference with NVD entries linked in the table
Alternatively, push the image to any container registry with vulnerability scanning enabled (Azure Defender, Trivy, Snyk, etc.) and observe the findings.
Error and Stacktrace
N/A — these are dependency-level CVEs, not runtime errors.
More Information
Updating the affected NuGet package references in the Tentacle project to their fixed versions and publishing an updated container image would resolve these findings.
Workaround
No workaround available. The vulnerable packages are embedded in the application binary and cannot be patched externally. The only option for consumers is to suppress/accept these findings in their vulnerability scanner until an updated image is published.
Team
What happened?
The current latest
octopusdeploy/tentacle:9.1.3772Docker image bundles NuGet packages with known CVEs inside the Tentacle binary (/opt/octopus/tentacle/Tentacle.deps.json). These are compile-time dependencies that consumers of the image cannot patch via OS-level updates,apt-get upgrade, or any other post-build remediation.Azure Defender for Cloud flags these vulnerabilities during container registry scanning. Some date back to 2017.
Expected: Container images published to Docker Hub should not contain NuGet packages with known, fixable CVEs.
Reproduction
octopusdeploy/tentacle:9.1.3772/opt/octopus/tentacle/Tentacle.deps.jsonfor the package versions listed aboveAlternatively, push the image to any container registry with vulnerability scanning enabled (Azure Defender, Trivy, Snyk, etc.) and observe the findings.
Error and Stacktrace
More Information
/opt/octopus/tentacle/Tentacle.deps.jsonoctopusdeploy/tentacle:9.1.3772(linux/amd64)Updating the affected NuGet package references in the Tentacle project to their fixed versions and publishing an updated container image would resolve these findings.
Workaround
No workaround available. The vulnerable packages are embedded in the application binary and cannot be patched externally. The only option for consumers is to suppress/accept these findings in their vulnerability scanner until an updated image is published.