search

alexdmoss / distroless-python

Creates a distroless container image with up-to-date python installed, for use in kubernetes
Apache License 2.0
38 stars 3 forks source link

trivy vulnerability for all the python images #5

Closed amohit1315 closed 5 months ago

amohit1315 commented 5 months ago

Hi,

i am seeing trivy vulnerability related to libc6.

trivy --version

Version: 0.48.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-20 06:11:28.606838332 +0000 UTC
  NextUpdate: 2024-06-20 12:11:28.606838072 +0000 UTC
  DownloadedAt: 2024-06-20 06:17:04.507362563 +0000 UTC

trivy results:

trivy image -s=HIGH,CRITICAL al3xos/python-distroless:3.10-debian11
2024-06-20T11:49:25.492+0530    INFO    Vulnerability scanning is enabled
2024-06-20T11:49:25.492+0530    INFO    Secret scanning is enabled
2024-06-20T11:49:25.492+0530    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-20T11:49:25.492+0530    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-06-20T11:49:27.584+0530    INFO    Detected OS: debian
2024-06-20T11:49:27.584+0530    INFO    Detecting Debian vulnerabilities...
2024-06-20T11:49:27.587+0530    INFO    Number of language-specific files: 1
2024-06-20T11:49:27.587+0530    INFO    Detecting python-pkg vulnerabilities...

al3xos/python-distroless:3.10-debian11 (debian 11.8)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version   │                         Title                          │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2024-2961  │ HIGH     │ fixed  │ 2.31-13+deb11u7   │ 2.31-13+deb11u9  │ glibc: Out of bounds write in iconv may lead to remote │
│         │                │          │        │                   │                  │ code...                                                │
│         │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-2961              │
│         ├────────────────┤          │        │                   ├──────────────────┼────────────────────────────────────────────────────────┤
│         │ CVE-2024-33599 │          │        │                   │ 2.31-13+deb11u10 │ glibc: stack-based buffer overflow in netgroup cache   │
│         │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-33599             │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴────────────────────────────────────────────────────────┘

1) Will this be fixed anytime soon?? 2) Do we have a workaround on how to update libc6 in the image using multi-stage docker build. i tried

wget http://deb.debian.org/debian/pool/main/g/glibc/libc6_2.31-13+deb11u10_amd64.deb
dpkg -i libc6_2.31-13+deb11u10_amd64.deb
apt-get update

FROM al3xos/python-distroless:3.10-debian11

# Copy the necessary libraries from the build stage
COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6
COPY --from=builder /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2

this still gives me the same trivy result.

alexdmoss commented 5 months ago

Thanks for the report - looks like it's been patched in the upstream base image.

I've rebuilt and it looks to have dealt with the HIGH's being flagged. Shout if you're still seeing issues.

amohit1315 commented 5 months ago

Hey @alexdmoss , i did a docker pull on al3xos/python-distroless:3.10-debian11 After that i run trivy on this, but still it shows same vulnerability

amohit@bng-hb-dev-25:~$ trivy image -s=HIGH,CRITICAL al3xos/python-distroless:3.10-debian11
2024-06-21T00:35:05.262+0530    INFO    Vulnerability scanning is enabled
2024-06-21T00:35:05.262+0530    INFO    Secret scanning is enabled
2024-06-21T00:35:05.262+0530    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-21T00:35:05.262+0530    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-06-21T00:35:05.267+0530    INFO    Detected OS: debian
2024-06-21T00:35:05.267+0530    INFO    Detecting Debian vulnerabilities...
2024-06-21T00:35:05.271+0530    INFO    Number of language-specific files: 1
2024-06-21T00:35:05.271+0530    INFO    Detecting python-pkg vulnerabilities...

al3xos/python-distroless:3.10-debian11 (debian 11.8)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version   │                         Title                          │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────┼────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2024-2961  │ HIGH     │ fixed  │ 2.31-13+deb11u7   │ 2.31-13+deb11u9  │ glibc: Out of bounds write in iconv may lead to remote │
│         │                │          │        │                   │                  │ code...                                                │
│         │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-2961              │
│         ├────────────────┤          │        │                   ├──────────────────┼────────────────────────────────────────────────────────┤
│         │ CVE-2024-33599 │          │        │                   │ 2.31-13+deb11u10 │ glibc: stack-based buffer overflow in netgroup cache   │
│         │                │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2024-33599             │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────┴────────────────────────────────────────────────────────┘
amohit1315 commented 5 months ago

Can you confirm i can get the latest image for python:3.10 without vulnerability from al3xos/python-distroless:3.10-debian11 ? Also i tried debug container for this, but i was not able to login into the docker image using bash. Ideally the debug containers have bash to exec into it right.

alexdmoss commented 5 months ago

Ah it's because you're using the Python 3.10 image, which it isn't being built by the pipeline any more. Can you upgrade to 3.11 or 3.12?

Those tags are still maintained, and based on debian12.

Re. the debug container - it has busybox in it, so a standard sh shell rather than bash.

amohit1315 commented 5 months ago

Sure, Thanks Alex. i can see 0 vulnerability for 3.11