Closed nilekhc closed 3 months ago
➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.3.52 2024-06-25T15:58:22.559-0700 INFO Vulnerability scanning is enabled 2024-06-25T15:58:22.560-0700 INFO Secret scanning is enabled 2024-06-25T15:58:22.560-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-06-25T15:58:22.560-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection 2024-06-25T15:58:32.414-0700 INFO Detected OS: ubuntu 2024-06-25T15:58:32.414-0700 INFO Detecting Ubuntu vulnerabilities... 2024-06-25T15:58:32.418-0700 INFO Number of language-specific files: 3 2024-06-25T15:58:32.418-0700 INFO Detecting nuget vulnerabilities... 2024-06-25T15:58:32.420-0700 INFO Detecting dotnet-core vulnerabilities... linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.3.52 (ubuntu 20.04) Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0) AMACA/AMACoreAgent.deps.json (dotnet-core) Total: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0) ┌───────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├───────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────┤ │ Azure.Identity │ CVE-2024-35255 │ MEDIUM │ fixed │ 1.11.1 │ 1.11.4 │ Azure Identity Libraries and Microsoft Authentication │ │ │ │ │ │ │ │ Library Elevation of Privilege Vulnerability │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-35255 │ ├───────────────────────────┤ │ │ ├───────────────────┼────────────────┤ │ │ Microsoft.Identity.Client │ │ │ │ 4.60.3 │ 4.60.4, 4.61.3 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └───────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────┘ ➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20240524.1 2024-06-25T15:58:39.439-0700 INFO Vulnerability scanning is enabled 2024-06-25T15:58:39.439-0700 INFO Secret scanning is enabled 2024-06-25T15:58:39.439-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-06-25T15:58:39.439-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection 2024-06-25T15:58:47.579-0700 INFO Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1 2024-06-25T15:58:47.579-0700 INFO Downloading the Java DB... 621.15 MiB / 621.15 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 36.32 MiB p/s 17s 2024-06-25T15:59:05.550-0700 INFO The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache. 2024-06-25T15:59:05.598-0700 INFO Detected OS: cbl-mariner 2024-06-25T15:59:05.598-0700 INFO Detecting CBL-Mariner vulnerabilities... 2024-06-25T15:59:05.599-0700 INFO Number of language-specific files: 1 2024-06-25T15:59:05.599-0700 INFO Detecting gemspec vulnerabilities... linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20240524.1 (cbl-mariner 2.0.20240425) Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0) 2024-06-25T15:59:05.605-0700 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. Ruby (gemspec) Total: 8 (MEDIUM: 5, HIGH: 3, CRITICAL: 0) ┌────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ bundler (bundler-2.1.4.gemspec) │ CVE-2020-36327 │ HIGH │ fixed │ 2.1.4 │ = 2.2.10, >= 2.2.18 │ rubygem-bundler: Dependencies of gems with explicit source │ │ │ │ │ │ │ │ may be installed from a... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-36327 │ │ ├────────────────┼──────────┤ │ ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-43809 │ MEDIUM │ │ │ >= 2.2.33 │ rubygem-bundler: unexpected code execution in Gemfiles │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43809 │ ├────────────────────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ cgi (cgi-0.1.0.1.gemspec) │ CVE-2021-33621 │ HIGH │ │ 0.1.0.1 │ ~> 0.1.0.2, ~> 0.2.2, >= 0.3.5 │ ruby/cgi-gem: HTTP response splitting in CGI │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33621 │ ├────────────────────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ protocol-http1 (protocol-http1-0.14.6.gemspec) │ CVE-2023-38697 │ MEDIUM │ │ 0.14.6 │ >= 0.15.1 │ protocol-http1: rubygem Strict validation of content length │ │ │ │ │ │ │ │ and chunk length │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-38697 │ ├────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ rdoc (rdoc-6.2.1.1.gemspec) │ CVE-2024-27281 │ │ │ 6.2.1.1 │ ~> 6.3.4, >= 6.3.4.1, ~> 6.4.1, >= 6.4.1.1, >= 6.5.1.1 │ ruby: RCE vulnerability with .rdoc_options in RDoc │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-27281 │ ├────────────────────────────────────────────────┼────────────────┤ │ ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ rexml (rexml-3.2.3.1.gemspec) │ CVE-2024-35176 │ │ │ 3.2.3.1 │ >= 3.2.7 │ REXML: DoS parsing an XML with many `<`s in an attribute │ │ │ │ │ │ │ │ value... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-35176 │ ├────────────────────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ uri (uri-0.10.0.gemspec) │ CVE-2023-28755 │ HIGH │ │ 0.10.0 │ ~> 0.10.0.1, ~> 0.10.2, ~> 0.11.1, >= 0.12.1 │ ruby: ReDoS vulnerability in URI │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28755 │ │ ├────────────────┼──────────┤ │ ├────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-36617 │ MEDIUM │ │ │ ~> 0.10.0.3, ~> 0.10.3, ~> 0.11.2, >= 0.12.2 │ rubygem-uri: ReDoS vulnerability - upstream's incomplete fix │ │ │ │ │ │ │ │ for CVE-2023-28755 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-36617 │ └────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.3.52
andlinuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20240524.1
has CVEs. Are there newer version available for these?
Unfortunately these are the latest.
Reason for Change:
Requirements
Issue Fixed:
Does this change contain code from or inspired by another project?
If "Yes," did you notify that project's maintainers and provide attribution?
Special Notes for Reviewers: