search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 271 forks source link

Vuln reported on the patched/fixed older versions #1360

Open verma-preet opened 2 years ago

verma-preet commented 2 years ago

Is this a BUG REPORT or a FEATURE REQUEST? BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable: Anchore engine version: v0.10.0

What happened: We scanned a docker image using the Anchore APIs and it reported CVE-2020-25637 vulnerability in three libvrt packages. The json snippet from the results is:

    "vulnerabilities": [
        {
            "feed": "vulnerabilities",
            "feed_group": "alpine:3.15",
            "fix": "6.8.0-r0",
            "nvd_data": [
                {
                    "cvss_v2": {
                        "base_score": 7.2,
                        "exploitability_score": 3.9,
                        "impact_score": 10.0
                    },
                    "cvss_v3": {
                        "base_score": 6.7,
                        "exploitability_score": 0.8,
                        "impact_score": 5.9
                    },
                    "id": "CVE-2020-25637"
                }
            ],
            "package": "libvirt-client-6.6.0-r4",
            "package_cpe": "None",
            "package_cpe23": "None",
            "package_name": "libvirt-client",
            "package_path": "pkgdb",
            "package_type": "APKG",
            "package_version": "6.6.0-r4",
            "severity": "Medium",
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25637",
            "vendor_data": [],
            "vuln": "CVE-2020-25637"
        },
       {
            "feed": "vulnerabilities",
            "feed_group": "alpine:3.15",
            "fix": "6.8.0-r0",
            "nvd_data": [
                {
                    "cvss_v2": {
                        "base_score": 7.2,
                        "exploitability_score": 3.9,
                        "impact_score": 10.0
                    },
                    "cvss_v3": {
                        "base_score": 6.7,
                        "exploitability_score": 0.8,
                        "impact_score": 5.9
                    },
                    "id": "CVE-2020-25637"
                }
            ],
            "package": "libvirt-6.6.0-r4",
            "package_cpe": "None",
            "package_cpe23": "None",
            "package_name": "libvirt",
            "package_path": "pkgdb",
            "package_type": "APKG",
            "package_version": "6.6.0-r4",
            "severity": "Medium",
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25637",
            "vendor_data": [],
            "vuln": "CVE-2020-25637"
        },
       {
            "feed": "vulnerabilities",
            "feed_group": "alpine:3.15",
            "fix": "6.8.0-r0",
            "nvd_data": [
                {
                    "cvss_v2": {
                        "base_score": 7.2,
                        "exploitability_score": 3.9,
                        "impact_score": 10.0
                    },
                    "cvss_v3": {
                        "base_score": 6.7,
                        "exploitability_score": 0.8,
                        "impact_score": 5.9
                    },
                    "id": "CVE-2020-25637"
                }
            ],
            "package": "libvirt-libs-6.6.0-r4",
            "package_cpe": "None",
            "package_cpe23": "None",
            "package_name": "libvirt-libs",
            "package_path": "pkgdb",
            "package_type": "APKG",
            "package_version": "6.6.0-r4",
            "severity": "Medium",
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25637",
            "vendor_data": [],
            "vuln": "CVE-2020-25637"
        },
.....

More evidence on the libvrt versions inside our image:

$ docker run -it --rm --entrypoint bash stunnel-sidecar:0a0d82ec9f135fd38056dadbaddef1afee41dc34-amd64
bash-5.1$ apk -v info | grep libvirt
libvirt-libs-6.6.0-r4
libvirt-6.6.0-r4
libvirt-client-6.6.0-r4
bash-5.1$

What did you expect to happen:

According to Alpine (see https://security.alpinelinux.org/vuln/CVE-2020-25637), version 6.6.0-r4 was patched and Anchore should not report a vulnerability but it does. Anchore needs to recognize that upgrading to a later version with the fix is not the only solution when the fix has also been backported to older versions.

cjyar commented 2 years ago

I think this is the same as anchore/grype#601.