search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 273 forks source link

Confusion of versions: OS package vs. gem #244

Open LoicGombeaud opened 4 years ago

LoicGombeaud commented 4 years ago

Is this a request for help?: No

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable: anchore-cli, version 0.4.1 I don't have access to the Anchore Engine container unfortunately.

What happened: On a custom image based on ubuntu, I installed the OS package git version 2.22.0, and the Ruby gem ruby-git, version 1.5.0. This Ruby gem uses the installed git binary, but doesn't include one or install one: https://github.com/ruby-git/ruby-git Its declared name in the gemspec file is git, hence the confusion according to @nurmi.

When I analyzed the image, Anchore failed the check, due to CVEs related to older versions of the OS package git, as though I had installed an older version of the package.

What did you expect to happen: I expected the check to pass, since the installed git package is the latest version.

Any relevant log output from /var/log/anchore: I don't have access to the logs, but here's the output from anchore-cli evaluate check <my_image> --detail:

vulnerabilities        package            HIGH Vulnerability found in non-os package type (gem) - /var/lib/gems/2.5.0/specifications/git-1.5.0.gemspec (CVE-2010-2542 - https://nvd.nist.gov/vuln/detail/CVE-2010-2542)                stop                                 
vulnerabilities        package            HIGH Vulnerability found in non-os package type (gem) - /var/lib/gems/2.5.0/specifications/git-1.5.0.gemspec (CVE-2008-5517 - https://nvd.nist.gov/vuln/detail/CVE-2008-5517)                stop                                 
vulnerabilities        package            HIGH Vulnerability found in non-os package type (gem) - /var/lib/gems/2.5.0/specifications/git-1.5.0.gemspec (CVE-2008-5516 - https://nvd.nist.gov/vuln/detail/CVE-2008-5516)                stop                                 
vulnerabilities        package            HIGH Vulnerability found in non-os package type (gem) - /var/lib/gems/2.5.0/specifications/git-1.5.0.gemspec (CVE-2018-19486 - https://nvd.nist.gov/vuln/detail/CVE-2018-19486)              stop

What docker images are you using: A custom one based on ubuntu.

How to reproduce the issue: Run a check on an image based on this Dockerfile:

FROM ubuntu:latest
RUN apt-get update && \
    apt-get install \
      git \
      ruby \
    && \
    rm -rf /var/lib/apt/lists/*

RUN gem install git

Anything else we need to know:

zhill commented 4 years ago

Thanks for the detailed report. This is an issue we're looking into but currently is caused by the lack of classification information in the NVD data to disambiguate packages from different package managers but with the same name. In these cases the package managers create implicit namespaces that are often not reflected in NVD's CPE data.

The current best solution is to whitelist those specific findings in your policy bundle: https://docs.anchore.com/current/docs/engine/general/concepts/policy/whitelists/