Multiple CVEs found when scanning NMI container.

[ietashish]

Have you

• [x] Read Troubleshooting Guide
• [x] Read Known Issues
• [x] Searched on GitHub issues

Describe the bug Running container scan on NMI container (mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4) reveals several vulnerabilities that have not been fixed. This is problematic since, we deploy AAD identity pods on Azure GovCloud cluster which needs to be compliant with FedRAMP regulations that asks us to explain every un-remediated vulnerability.

Can you comment if any of these vulnerabilities are getting fixed in upcoming releases, or explain why they have not been fixed yet.

Steps To Reproduce Run any container scanning tool (like Docker Snyk, Aqua Trivy, Jfrog Xray) on mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4. We ran Jfrog Xray scan and found the following CVEs,

CVES	CVSS3 score	Vulnerable Component
CVE-2019-25013	5.9	deb://debian:buster:libc-bin:2.28-10
CVE-2021-33574	9.8	deb://debian:buster:libc6:2.28-10
CVE-2019-25013	5.9	deb://debian:buster:libc6:2.28-10
CVE-2021-33574	9.8	deb://debian:buster:libc-bin:2.28-10
CVE-2021-3326	7.5	deb://debian:buster:libc-bin:2.28-10
CVE-2021-3326	7.5	deb://debian:buster:libc6:2.28-10
CVE-2019-12904	5.9	deb://debian:buster:libgcrypt20:1.8.4-5+deb10u1
CVE-2019-3843	7.8	deb://debian:buster:libsystemd0:241-7~deb10u8
CVE-2018-12886	8.1	deb://debian:buster:gcc-8-base:8.3.0-6
CVE-2020-14155	5.3	deb://debian:buster:libpcre3:2:8.39-12
CVE-2020-1751	7	deb://debian:buster:libc6:2.28-10
CVE-2021-35942	9.1	deb://debian:buster:libc6:2.28-10
CVE-2019-12290	7.5	deb://debian:buster:libidn2-0:2.0.5-1+deb10u1
CVE-2019-3844	7.8	deb://debian:buster:libudev1:241-7~deb10u8
CVE-2021-35942	9.1	deb://debian:buster:libc-bin:2.28-10
CVE-2018-12886	8.1	deb://debian:buster:libstdc++6:8.3.0-6
CVE-2020-1751	7	deb://debian:buster:libc-bin:2.28-10
CVE-2019-3843	7.8	deb://debian:buster:libudev1:241-7~deb10u8
CVE-2018-12886	8.1	deb://debian:buster:libgcc1:1:8.3.0-6
CVE-2019-3844	7.8	deb://debian:buster:libsystemd0:241-7~deb10u8
CVE-2019-1010024	5.3	deb://debian:buster:libc-bin:2.28-10
CVE-2010-4051		deb://debian:buster:libc-bin:2.28-10
CVE-2011-3374	3.7	deb://debian:buster:apt:1.8.2.3
CVE-2019-11360	4.2	deb://debian:buster:libxtables12:1.8.5-3~bpo10+1
CVE-2017-7246	7.8	deb://debian:buster:libpcre3:2:8.39-12
CVE-2019-1010025	5.3	deb://debian:buster:libc-bin:2.28-10
CVE-2011-3374	3.7	deb://debian:buster:libapt-pkg5.0:1.8.2.3
CVE-2011-3389		deb://debian:buster:libgnutls30:3.6.7-4+deb10u7
CVE-2018-7169	5.3	deb://debian:buster:login:1:4.5-1.1
CVE-2019-9893	9.8	deb://debian:buster:libseccomp2:2.3.3-4
CVE-2021-36085	3.3	deb://debian:buster:libsepol1:2.8-1
CVE-2020-1752	7	deb://debian:buster:libc-bin:2.28-10
CVE-2019-1010023	8.8	deb://debian:buster:libc6:2.28-10
CVE-2012-2663		deb://debian:buster:libxtables12:1.8.5-3~bpo10+1
CVE-2019-15847	7.5	deb://debian:buster:gcc-8-base:8.3.0-6
CVE-2010-4756		deb://debian:buster:libc6:2.28-10
CVE-2007-6755		deb://debian:buster:libssl1.1:1.1.1d-0+deb10u7
CVE-2019-17543	8.1	deb://debian:buster:liblz4-1:1.8.3-1+deb10u1
CVE-2020-13776	6.7	deb://debian:buster:libsystemd0:241-7~deb10u8
CVE-2019-9192	7.5	deb://debian:buster:libc6:2.28-10
CVE-2007-6755		deb://debian:buster:openssl:1.1.1d-0+deb10u7
CVE-2021-36087	3.3	deb://debian:buster:libsepol1:2.8-1
CVE-2021-27645	2.5	deb://debian:buster:libc6:2.28-10
CVE-2017-16231	5.5	deb://debian:buster:libpcre3:2:8.39-12
CVE-2020-13529	6.1	deb://debian:buster:libudev1:241-7~deb10u8
CVE-2020-6096	8.1	deb://debian:buster:libc-bin:2.28-10
CVE-2010-0928		deb://debian:buster:openssl:1.1.1d-0+deb10u7
CVE-2019-19126	3.3	deb://debian:buster:libc6:2.28-10
CVE-2020-10029	5.5	deb://debian:buster:libc6:2.28-10
CVE-2021-40528	5.9	deb://debian:buster:libgcrypt20:1.8.4-5+deb10u1
CVE-2013-4235	4.7	deb://debian:buster:passwd:1:4.5-1.1
CVE-2019-11360	4.2	deb://debian:buster:libip6tc2:1.8.5-3~bpo10+1
CVE-2016-10228	5.9	deb://debian:buster:libc-bin:2.28-10
CVE-2013-4392		deb://debian:buster:libudev1:241-7~deb10u8
CVE-2019-1010025	5.3	deb://debian:buster:libc6:2.28-10
CVE-2010-4052		deb://debian:buster:libc6:2.28-10
CVE-2017-18018	4.7	deb://debian:buster:coreutils:8.30-3
CVE-2019-11360	4.2	deb://debian:buster:iptables:1.8.5-3~bpo10+1
CVE-2020-13529	6.1	deb://debian:buster:libsystemd0:241-7~deb10u8
CVE-2018-20796	7.5	deb://debian:buster:libc-bin:2.28-10
CVE-2013-4392		deb://debian:buster:libsystemd0:241-7~deb10u8
CVE-2020-27618	5.5	deb://debian:buster:libc-bin:2.28-10
CVE-2019-19126	3.3	deb://debian:buster:libc-bin:2.28-10
CVE-2007-5686		deb://debian:buster:login:1:4.5-1.1
CVE-2013-4235	4.7	deb://debian:buster:login:1:4.5-1.1
CVE-2016-2781	6.5	deb://debian:buster:coreutils:8.30-3
CVE-2010-4052		deb://debian:buster:libc-bin:2.28-10
CVE-2021-36086	3.3	deb://debian:buster:libsepol1:2.8-1
CVE-2005-2541		deb://debian:buster:tar:1.30+dfsg-6
CVE-2021-27645	2.5	deb://debian:buster:libc-bin:2.28-10
CVE-2010-4051		deb://debian:buster:libc6:2.28-10
CVE-2019-9192	7.5	deb://debian:buster:libc-bin:2.28-10
CVE-2021-20193	5.5	deb://debian:buster:tar:1.30+dfsg-6
CVE-2019-15847	7.5	deb://debian:buster:libgcc1:1:8.3.0-6
CVE-2019-20386	2.4	deb://debian:buster:libsystemd0:241-7~deb10u8
CVE-2020-1752	7	deb://debian:buster:libc6:2.28-10
CVE-2019-1010023	8.8	deb://debian:buster:libc-bin:2.28-10
CVE-2020-27618	5.5	deb://debian:buster:libc6:2.28-10
CVE-2020-13776	6.7	deb://debian:buster:libudev1:241-7~deb10u8
CVE-2019-19882	7.8	deb://debian:buster:login:1:4.5-1.1
CVE-2010-0928		deb://debian:buster:libssl1.1:1.1.1d-0+deb10u7
CVE-2007-5686		deb://debian:buster:passwd:1:4.5-1.1
CVE-2012-2663		deb://debian:buster:libip6tc2:1.8.5-3~bpo10+1
CVE-2017-7245	7.8	deb://debian:buster:libpcre3:2:8.39-12
CVE-2011-4116	7.5	deb://debian:buster:perl-base:5.28.1-6+deb10u1
CVE-2017-11164	7.5	deb://debian:buster:libpcre3:2:8.39-12
CVE-2020-6096	8.1	deb://debian:buster:libc6:2.28-10
CVE-2019-1010022	9.8	deb://debian:buster:libc-bin:2.28-10
CVE-2018-6829	7.5	deb://debian:buster:libgcrypt20:1.8.4-5+deb10u1
CVE-2021-36084	3.3	deb://debian:buster:libsepol1:2.8-1
CVE-2019-20386	2.4	deb://debian:buster:libudev1:241-7~deb10u8
CVE-2019-1010024	5.3	deb://debian:buster:libc6:2.28-10
CVE-2020-10029	5.5	deb://debian:buster:libc-bin:2.28-10
CVE-2010-4756		deb://debian:buster:libc-bin:2.28-10
CVE-2018-7169	5.3	deb://debian:buster:passwd:1:4.5-1.1
CVE-2012-2663		deb://debian:buster:iptables:1.8.5-3~bpo10+1
CVE-2019-11360	4.2	deb://debian:buster:libip4tc2:1.8.5-3~bpo10+1
CVE-2019-1010022	9.8	deb://debian:buster:libc6:2.28-10
CVE-2018-1000654	5.5	deb://debian:buster:libtasn1-6:4.13-3
CVE-2019-15847	7.5	deb://debian:buster:libstdc++6:8.3.0-6
CVE-2018-20796	7.5	deb://debian:buster:libc6:2.28-10
CVE-2016-10228	5.9	deb://debian:buster:libc6:2.28-10
CVE-2019-13627	6.3	deb://debian:buster:libgcrypt20:1.8.4-5+deb10u1
CVE-2012-2663		deb://debian:buster:libip4tc2:1.8.5-3~bpo10+1
CVE-2019-20838	7.5	deb://debian:buster:libpcre3:2:8.39-12
CVE-2019-9923	7.5	deb://debian:buster:tar:1.30+dfsg-6
CVE-2019-14855	7.5	deb://debian:buster:gpgv:2.2.12-1+deb10u1
CVE-2019-19882	7.8	deb://debian:buster:passwd:1:4.5-1.1
CVE-2021-37600	5.5	deb://debian:buster:bsdutils:1:2.33.1-0.1

Expected behavior Container should not have any vulnerabilities.

AAD Pod Identity version v1.8.4

Kubernetes version NA

Additional context None

[aramase]

@ietashish We run image vulnerability scans as part of our CI and this is used as a release gate. A lot of CVEs you mentioned do not have a fix yet so there is no action item on our side for now.

➜ trivy --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4
2021-10-08T16:17:43.066Z    INFO    Need to update DB
2021-10-08T16:17:43.067Z    INFO    Downloading DB...
24.22 MiB / 24.22 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 16.89 MiB p/s 2s
2021-10-08T16:17:47.531Z    INFO    Detected OS: debian
2021-10-08T16:17:47.531Z    INFO    Detecting Debian vulnerabilities...
2021-10-08T16:17:47.538Z    INFO    Number of language-specific files: 1
2021-10-08T16:17:47.538Z    INFO    Detecting gobinary vulnerabilities...

mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4 (debian 10.10)
======================================================================
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

bin/nmi (gobinary)
==================
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Example CI run: https://dev.azure.com/AzureContainerUpstream/AAD%20Pod%20Identity/_build/results?buildId=28736&view=logs&j=7e664a44-1d98-5348-601c-dff379a14ab5&t=df0bac15-41b8-536a-5d4e-7c9def102aed

[github-actions[bot]]

This issue is stale because it has been open 14 days with no activity. Please comment or this will be closed in 7 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 21 days with no activity. Feel free to re-open if you are experiencing the issue again.