search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.59k stars 272 forks source link

Detection of Java Dummy Package #157

Open wurstbrot opened 5 years ago

wurstbrot commented 5 years ago

Feature Request. The Java support in packages in OS is not very good. Therefore, I would like to add java or nginx by myself. I would like to continue using the vuln. scan and I created a dummy package with openjdk name and version and nothing else. I expect to find CVE-2019-2422 but do not get it. Docker image: quay.io/wurstbrot/ubuntu-cve-dummy-test:test4 What can I do to make it detected?

Dockerfile:

FROM ubuntu:18.10 

COPY test.deb /tmp/test.deb
RUN dpkg -i /tmp/test.deb

DPKG:

root@8c85618a64d3:/# dpkg -l | grep jdk   
ii  openjdk-11-jdk          11.0.1+1-1ubuntu0.18.10.4 all          <short description; defaults to some wise words>

openjdk-11-jdk to create the package via equivs-build:

Standards-Version: 3.9.2

Package: openjdk-11-jdk
Version:11.0.1+1-1ubuntu0.18.10.4
Description: <short description; defaults to some wise words> 
 long description and info
 .
 second paragraph
zhill commented 5 years ago

Hi @wurstbrot, thanks for the writeup. In this case I think the issue is a mismatch between your metadata and the vulnerability record from ubuntu.

The ubuntu cve record shows it is for the openjdk-lts package, not openjdk-11. Per the API in Anchore to get CVE data it knows about (I removed non-ubuntu 18.* records for clarity):

curl -u admin:foobar "http://localhost:8228/v1/query/vulnerabilities?id=CVE-2019-2422"
{
  "page": "1",
  "returned_count": 10,
  "total_count": 10,
  "vulnerabilities": [
  ... 
    {
      "affected_packages": [
        {
          "name": "openjdk-8",
          "type": "dpkg",
          "version": "8u191-b12-2ubuntu0.18.04.1"
        },
        {
          "name": "openjdk-lts",
          "type": "dpkg",
          "version": "*"
        }
      ],
      "id": "CVE-2019-2422",
      "link": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2422",
      "namespace": "ubuntu:18.04",
      "severity": "Low"
    },
    {
      "affected_packages": [
        {
          "name": "openjdk-8",
          "type": "dpkg",
          "version": "8u191-b12-2ubuntu0.18.10.1"
        },
        {
          "name": "openjdk-lts",
          "type": "dpkg",
          "version": "11.0.1+13-3ubuntu3.18.10.1"
        }
      ],
      "id": "CVE-2019-2422",
      "link": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2422",
      "namespace": "ubuntu:18.10",
      "severity": "Low"
    },
  ...
]

For entries in the dpkg db, Anchore uses the distro cve data rather than the NVD data which doesn't take patches or other distro-specific changes into account. So based on this data, your package isn't vulnerable, but should be detected as vulnerable if you change the metadata to have a package name of openjdk-lts instead of openjdk-11-jdk.

Does that make sense, or am I missing something in the question/issue?

wurstbrot commented 5 years ago

It makes sense why I could not find something, thank you. It does not makes sense for the purpose of installing self create packages where I still would like to get informed about vulnerabilities. In case I install a package which doesn't exist in ubuntu, I won't get any info.

zhill commented 4 years ago

The enhancement requested is, as I understand it, to detect packages that are not in the distro's package repo and match those for vulnerabilities against the NVD or other non-distro-specific data source.

This will require:

  1. Identify if a distro-type package (rpm, deb, apk) is one provided by the distro.
  2. If not, then do the vuln match against NVD instead of distro source, since the distro will have no cves for it and thus lack of vuln match doesn't imply lack of vuln.