search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 272 forks source link

Capture and use Implementation-Title and/or Specification-Title in MANIFEST.MF for java detectors #574

Open zhill opened 4 years ago

zhill commented 4 years ago

If present the analyzer should be able to use the Implementation-Title and/or Specification-Title from MANIFEST.MF in the java analyzer.

Specifically, if Implementation-Title and Implementation-Version are set those should have higher priority than Specification-Title and Specification-Version if both are present.

Can review other fields as appropriate. Should add clear tests that clearly demonstrate the prioritization and behavior.

jeugene commented 4 years ago

Issue Severity: High

Anchore CLI content scan results does not have Specification-Version and Implementation-Version for Majority JARS

Anchore CVE scan does not report below JARS (example case). The DB has CVE info.

  1. cxf-rt-transports-http-2.7.18.jar -> CVE-2019-17573
  2. plexus-utils-1.0.4 -> CVE-2017-1000487
  3. spring-core-5.2.2.RELEASE.jar -> CVE-2016-1000027
  4. spring-security-core-5.2.1.RELEASE -> CVE-2020-5408
  5. spring-security-crypto-5.2.1.RELEASE ->
  6. hibernate-validator-5.0.2.Final.jar -> CVE-2014-3558
  7. hibernate-validator : 6.0.18.Final -> CVE-2020-10693
zhill commented 4 years ago

Issue Severity: High

Anchore CLI content scan results does not have Specification-Version and Implementation-Version for Majority JARS

  • Command -> anchore-cli image content $imageId java
  • Total jars: 358
  • Specification-Version N/A or Blank value count: 309
  • Implementation-Version N/A or Blank count: 309
  • The test result shows 309/358 JARs have NO Version and hence excluded from CVE reports?

Anchore CVE scan does not report below JARS (example case). The DB has CVE info.

  1. cxf-rt-transports-http-2.7.18.jar -> CVE-2019-17573
  2. plexus-utils-1.0.4 -> CVE-2017-1000487
  3. spring-core-5.2.2.RELEASE.jar -> CVE-2016-1000027
  4. spring-security-core-5.2.1.RELEASE -> CVE-2020-5408
  5. spring-security-crypto-5.2.1.RELEASE ->
  6. hibernate-validator-5.0.2.Final.jar -> CVE-2014-3558
  7. hibernate-validator : 6.0.18.Final -> CVE-2020-10693

Thanks @jeugene do you have an image we can produce those results from, or is that a private image you're referencing?