So I'm tinkering with IBM Container Registry (ICR) at present, and am testing the Vulnerability Advisor (VA) feature, by building/tagging/pushing a basic Nginx image.
Having configured my Nginx server for HTTPS ( HTTP over TLS ) - or so I thought - I was baffled that VA kept throwing up configuration errors: -
Configuration Issues Found
Configuration Issue ID Policy Status Security Practice How to Resolve
application_configuration:nginx.ssl_certificate_key Active Specifies the private key file for server cert. ssl_certificate_key is not present in
application_configuration:nginx.ssl_ciphers Active Specifies ciphers used in TLS. ssl_ciphers is not present in
/etc/nginx/sites-enabled/default. Defaults may not
application_configuration:nginx.server_tokens Active Enables or disables emitting nginx version in server_tokens is present but value is off. nginx
error messages and in the Server response header will sends its version in HTTP responses which can
field. be used by attackers for version-specific attacks
against this nginx server.
application_configuration:nginx.ssl_protocols Active Enables the specified protocols. ssl_protocols is not present in
application_configuration:nginx.ssl_certificate Active Specifies a file with the certificate in the PEM ssl_certificate is not present in
format for the given virtual server. /etc/nginx/nginx.conf or