search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.59k stars 272 forks source link

multiple FPs for the npm analyzer / vuln feed #606

Open StefanCenusa opened 4 years ago

StefanCenusa commented 4 years ago

Is this a request for help?: Yes

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable:

anchore-cli --version
anchore-cli, version 0.8.0

What happened: I've been scanning images with anchore-engine for a while and I've noticed some false positives for the npm packages.

What did you expect to happen: Non-npm related CVEs to be ignored for npm packages.

How to reproduce the issue: I've built 2 images specially to reproduce this issue: https://hub.docker.com/repository/docker/stefancenusa/normal-pancake

The base tag is only a republish of node:12.18.3-slim. The 1.0.1 tags starts from the base tag and adds a few npm packages I've notice to trigger FPs.

Here's how anchore-engine analyses them (I've filtered only for >= Medium):

This is the base, legit npm packages and vulnerabilities.

anchore-cli image vuln docker.io/stefancenusa/normal-pancake:base all

Vulnerability ID        Package                                 Severity          Fix         CVE Refs                Vulnerability URL                                                   Type        Feed Group        Package Path
CVE-2020-8116           dot-prop-4.2.0                          High              None        CVE-2020-8116           https://nvd.nist.gov/vuln/detail/CVE-2020-8116                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/dot-prop/package.json
CVE-2020-7608           yargs-parser-9.0.2                      Medium            None        CVE-2020-7608           https://nvd.nist.gov/vuln/detail/CVE-2020-7608                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/yargs-parser/package.json

Now, the 1.0.1 images after I've only installed a few npm modules:

anchore-cli image vuln docker.io/stefancenusa/normal-pancake:1.0.1 all
Vulnerability ID        Package                                 Severity          Fix         CVE Refs                Vulnerability URL                                                   Type        Feed Group        Package Path
CVE-2018-11218          redis-3.0.2                             Critical          None        CVE-2018-11218          https://nvd.nist.gov/vuln/detail/CVE-2018-11218                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2018-11219          redis-3.0.2                             Critical          None        CVE-2018-11219          https://nvd.nist.gov/vuln/detail/CVE-2018-11219                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2015-8080           redis-3.0.2                             High              None        CVE-2015-8080           https://nvd.nist.gov/vuln/detail/CVE-2015-8080                      npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2016-10517          redis-3.0.2                             High              None        CVE-2016-10517          https://nvd.nist.gov/vuln/detail/CVE-2016-10517                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2017-18589          cookie-0.4.0                            High              None        CVE-2017-18589          https://nvd.nist.gov/vuln/detail/CVE-2017-18589                     npm         nvdv2:cves        /app/node_modules/cookie/package.json
CVE-2018-12326          redis-3.0.2                             High              None        CVE-2018-12326          https://nvd.nist.gov/vuln/detail/CVE-2018-12326                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2018-12453          redis-3.0.2                             High              None        CVE-2018-12453          https://nvd.nist.gov/vuln/detail/CVE-2018-12453                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2019-10192          redis-3.0.2                             High              None        CVE-2019-10192          https://nvd.nist.gov/vuln/detail/CVE-2019-10192                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2019-10193          redis-3.0.2                             High              None        CVE-2019-10193          https://nvd.nist.gov/vuln/detail/CVE-2019-10193                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2019-2386           mongodb-3.6.1                           High              None        CVE-2019-2386           https://nvd.nist.gov/vuln/detail/CVE-2019-2386                      npm         nvdv2:cves        /app/node_modules/mongodb/package.json
CVE-2019-2390           mongodb-3.6.1                           High              None        CVE-2019-2390           https://nvd.nist.gov/vuln/detail/CVE-2019-2390                      npm         nvdv2:cves        /app/node_modules/mongodb/package.json
CVE-2020-14147          redis-3.0.2                             High              None        CVE-2020-14147          https://nvd.nist.gov/vuln/detail/CVE-2020-14147                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2020-8116           dot-prop-4.2.0                          High              None        CVE-2020-8116           https://nvd.nist.gov/vuln/detail/CVE-2020-8116                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/dot-prop/package.json
CVE-2013-7458           redis-3.0.2                             Low               None        CVE-2013-7458           https://nvd.nist.gov/vuln/detail/CVE-2013-7458                      npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2019-2389           mongodb-3.6.1                           Medium            None        CVE-2019-2389           https://nvd.nist.gov/vuln/detail/CVE-2019-2389                      npm         nvdv2:cves        /app/node_modules/mongodb/package.json
CVE-2020-7608           yargs-parser-9.0.2                      Medium            None        CVE-2020-7608           https://nvd.nist.gov/vuln/detail/CVE-2020-7608                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/yargs-parser/package.json
CVE-2020-7921           mongodb-3.6.1                           Medium            None        CVE-2020-7921           https://nvd.nist.gov/vuln/detail/CVE-2020-7921                      npm         nvdv2:cves        /app/node_modules/mongodb/package.json

Here, there are multiple FPs:

Is there a way to limit these FPs? Is this a vulnerability feed issue or anchore-engine not matching properly the vulnerability type with the content it scanned?

Anything else we need to know:

anchore-cli system feeds list

Feed                   Group                  LastSync                          RecordCount
github                 github:composer        2020-09-03T05:28:28.370489        124
github                 github:gem             2020-09-03T05:28:26.139169        363
github                 github:java            2020-09-03T05:27:58.638594        519
github                 github:npm             2020-09-03T05:27:59.893892        1091
github                 github:nuget           2020-09-03T05:28:27.350026        53
github                 github:python          2020-09-03T05:28:24.970441        297
nvdv2                  nvdv2:cves             2020-09-03T05:27:56.617175        149112
vulnerabilities        alpine:3.10            2020-09-03T05:27:43.461532        2023
vulnerabilities        alpine:3.11            2020-09-03T05:27:52.172196        2188
vulnerabilities        alpine:3.12            2020-09-03T09:20:29.365895        2370
vulnerabilities        alpine:3.2             2020-09-03T05:27:42.360492        303
vulnerabilities        alpine:3.3             2020-09-03T09:19:46.443507        470
vulnerabilities        alpine:3.4             2020-09-03T05:27:39.887990        681
vulnerabilities        alpine:3.5             2020-09-03T05:27:54.713983        901
vulnerabilities        alpine:3.6             2020-09-03T05:27:47.350858        1076
vulnerabilities        alpine:3.7             2020-09-03T05:27:48.612006        1407
vulnerabilities        alpine:3.8             2020-09-03T05:27:46.279100        1623
vulnerabilities        alpine:3.9             2020-09-03T05:27:49.675145        1834
vulnerabilities        amzn:2                 2020-09-03T05:27:51.041601        421
vulnerabilities        centos:5               2020-09-03T09:19:44.262564        1347
vulnerabilities        centos:6               2020-09-03T09:20:52.312976        1424
vulnerabilities        centos:7               2020-09-03T09:47:14.684779        1097
vulnerabilities        centos:8               2020-09-03T09:47:40.428459        328
vulnerabilities        debian:10              2020-09-03T05:27:38.246791        23424
vulnerabilities        debian:11              2020-09-03T09:21:12.267968        20607
vulnerabilities        debian:7               2020-09-03T05:27:53.471083        20455
vulnerabilities        debian:8               2020-09-03T09:19:50.674480        24058
vulnerabilities        debian:9               2020-09-03T09:47:45.710479        23466
vulnerabilities        debian:unstable        2020-09-03T09:47:22.696962        24944
vulnerabilities        ol:5                   2020-09-03T09:48:29.602708        1249
vulnerabilities        ol:6                   2020-09-03T09:47:57.026232        1560
vulnerabilities        ol:7                   2020-09-03T05:27:14.601319        1250
vulnerabilities        ol:8                   2020-09-03T05:27:17.705268        277
vulnerabilities        rhel:5                 2020-09-03T05:27:35.494667        7378
vulnerabilities        rhel:6                 2020-09-03T09:20:39.889377        7032
vulnerabilities        rhel:7                 2020-09-03T09:24:01.776346        6397
vulnerabilities        rhel:8                 2020-09-03T05:27:30.036228        2024
vulnerabilities        ubuntu:12.04           2020-09-03T09:21:02.039455        14962
vulnerabilities        ubuntu:12.10           2020-09-03T09:19:57.428199        5652
vulnerabilities        ubuntu:13.04           2020-09-03T05:27:19.024773        4127
vulnerabilities        ubuntu:14.04           2020-09-03T05:27:16.071430        22602
vulnerabilities        ubuntu:14.10           2020-09-03T09:47:33.906484        4456
vulnerabilities        ubuntu:15.04           2020-09-03T09:47:28.784122        5944
vulnerabilities        ubuntu:15.10           2020-09-03T05:27:36.943115        6513
vulnerabilities        ubuntu:16.04           2020-09-03T05:27:34.176312        19714
vulnerabilities        ubuntu:16.10           2020-09-03T09:21:21.834102        8647
vulnerabilities        ubuntu:17.04           2020-09-03T09:20:04.949449        9157
vulnerabilities        ubuntu:17.10           2020-09-03T09:20:13.033683        7943
vulnerabilities        ubuntu:18.04           2020-09-03T09:24:23.434592        13973
vulnerabilities        ubuntu:18.10           2020-09-03T09:48:18.375990        8398
vulnerabilities        ubuntu:19.04           2020-09-03T05:27:41.179583        8667
vulnerabilities        ubuntu:19.10           2020-09-03T05:27:45.026383        8424
vulnerabilities        ubuntu:20.04           2020-09-03T09:21:30.053401        7805
zhill commented 4 years ago

@StefanCenusa thanks for reporting this. We're looking into how we can better match the ecosystem (often not specified in the NVD data directly) so that we can handle name-conflicts across ecosystems better. You're seeing this in the redis and mongodb matches where the package name for both the client and server is basically the same. We should have some improvements arriving in the next feature release (0.9.0) that will consider more of the metadata about the package to help reduce these false positives.

StefanCenusa commented 4 years ago

@zhill On the same note, I've just found another interesting FP

CVE-2014-5002           lynx-0.2.0                              High              None        CVE-2014-5002           https://nvd.nist.gov/vuln/detail/CVE-2014-5002                      npm         nvdv2:cves        /service/node_modules/lynx/package.json

this NPM package matches a NVD for cpe:2.3:a:lynx_project:lynx:*:*:*:*:*:ruby:*:*

Will this type of issues be fixed in 0.9.0?

StefanCenusa commented 4 years ago

@zhill any updates on this issue?

From the example above, even though the NVD specifies the right package type, it seems that anchore fails and matches it with an NPM package.

Although whitelisting vulnerabilities is an option, it requires extra work for each image in order to be compliant with some security standards. Is there an ETA for 0.9.0?

Thank you!

StefanCenusa commented 3 years ago

I've just tested the same scenario on anchore-engine 0.9.0. Here are the results:

Base image with default npm vulns:

anchore-cli image vuln docker.io/stefancenusa/normal-pancake:base all

Vulnerability ID           Package                                 Severity          Fix           CVE Refs                Vulnerability URL                                                   Type        Feed Group        Package Path
CVE-2020-7754              npm-user-validate-1.0.0                 High              None          CVE-2020-7754           https://nvd.nist.gov/vuln/detail/CVE-2020-7754                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json
CVE-2020-7774              y18n-3.2.1                              High              None          CVE-2020-7774           https://nvd.nist.gov/vuln/detail/CVE-2020-7774                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/y18n/package.json
CVE-2020-7774              y18n-4.0.0                              High              None          CVE-2020-7774           https://nvd.nist.gov/vuln/detail/CVE-2020-7774                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/y18n/package.json
GHSA-ff7x-qrg7-qggm        dot-prop-4.2.0                          High              4.2.1         CVE-2020-8116           https://github.com/advisories/GHSA-ff7x-qrg7-qggm                   npm         github:npm        /usr/local/lib/node_modules/npm/node_modules/dot-prop/package.json

Now the 1.0.1 version, with some npm packages installed:

anchore-cli image vuln docker.io/stefancenusa/normal-pancake:1.0.1 all

Vulnerability ID           Package                                 Severity          Fix           CVE Refs                Vulnerability URL                                                   Type        Feed Group        Package Path
CVE-2018-11218             redis-3.0.2                             Critical          None          CVE-2018-11218          https://nvd.nist.gov/vuln/detail/CVE-2018-11218                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2018-11219             redis-3.0.2                             Critical          None          CVE-2018-11219          https://nvd.nist.gov/vuln/detail/CVE-2018-11219                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2015-8080              redis-3.0.2                             High              None          CVE-2015-8080           https://nvd.nist.gov/vuln/detail/CVE-2015-8080                      npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2016-10517             redis-3.0.2                             High              None          CVE-2016-10517          https://nvd.nist.gov/vuln/detail/CVE-2016-10517                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2017-18589             cookie-0.4.0                            High              None          CVE-2017-18589          https://nvd.nist.gov/vuln/detail/CVE-2017-18589                     npm         nvdv2:cves        /app/node_modules/cookie/package.json
CVE-2018-12326             redis-3.0.2                             High              None          CVE-2018-12326          https://nvd.nist.gov/vuln/detail/CVE-2018-12326                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2018-12453             redis-3.0.2                             High              None          CVE-2018-12453          https://nvd.nist.gov/vuln/detail/CVE-2018-12453                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2019-10192             redis-3.0.2                             High              None          CVE-2019-10192          https://nvd.nist.gov/vuln/detail/CVE-2019-10192                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2019-10193             redis-3.0.2                             High              None          CVE-2019-10193          https://nvd.nist.gov/vuln/detail/CVE-2019-10193                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2019-20925             mongodb-3.6.1                           High              None          CVE-2019-20925          https://nvd.nist.gov/vuln/detail/CVE-2019-20925                     npm         nvdv2:cves        /app/node_modules/mongodb/package.json
CVE-2019-2386              mongodb-3.6.1                           High              None          CVE-2019-2386           https://nvd.nist.gov/vuln/detail/CVE-2019-2386                      npm         nvdv2:cves        /app/node_modules/mongodb/package.json
CVE-2019-2390              mongodb-3.6.1                           High              None          CVE-2019-2390           https://nvd.nist.gov/vuln/detail/CVE-2019-2390                      npm         nvdv2:cves        /app/node_modules/mongodb/package.json
CVE-2020-14147             redis-3.0.2                             High              None          CVE-2020-14147          https://nvd.nist.gov/vuln/detail/CVE-2020-14147                     npm         nvdv2:cves        /app/node_modules/redis/package.json
CVE-2020-7754              npm-user-validate-1.0.0                 High              None          CVE-2020-7754           https://nvd.nist.gov/vuln/detail/CVE-2020-7754                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json
CVE-2020-7774              y18n-3.2.1                              High              None          CVE-2020-7774           https://nvd.nist.gov/vuln/detail/CVE-2020-7774                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/y18n/package.json
CVE-2020-7774              y18n-4.0.0                              High              None          CVE-2020-7774           https://nvd.nist.gov/vuln/detail/CVE-2020-7774                      npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/y18n/package.json
GHSA-ff7x-qrg7-qggm        dot-prop-4.2.0                          High              4.2.1         CVE-2020-8116           https://github.com/advisories/GHSA-ff7x-qrg7-qggm                   npm         github:npm        /usr/local/lib/node_modules/npm/node_modules/dot-prop/package.json

As you can notice, the issue still persists. There are the same FPs detected by anchore-engine 0.9.0.

Here, there are multiple FPs:

  • The mongodb and redis vulnerabilities are actually for the servers (see CVEs description), not the npm packages - which are clients for those two databases.
  • The cookie package is actually a CVE for a rust crate, not a npm package - https://nvd.nist.gov/vuln/detail/CVE-2017-18589

Here's the feed list status:

anchore-cli system feeds list
Feed                   Group                  LastSync                    RecordCount
github                 github:composer        2021-01-18T14:38:03Z        161
github                 github:gem             2021-01-18T14:38:05Z        375
github                 github:java            2021-01-18T14:38:01Z        546
github                 github:npm             2021-01-18T14:38:02Z        1634
github                 github:nuget           2021-01-18T14:38:06Z        62
github                 github:python          2021-01-18T14:37:59Z        366
nvdv2                  nvdv2:cves             2021-01-18T14:37:56Z        156356
vulnerabilities        alpine:3.10            2021-01-18T14:37:43Z        2113
vulnerabilities        alpine:3.11            2021-01-18T14:37:38Z        2309
vulnerabilities        alpine:3.12            2021-01-18T14:37:27Z        2603
vulnerabilities        alpine:3.2             2021-01-18T14:37:29Z        305
vulnerabilities        alpine:3.3             2021-01-18T14:37:46Z        470
vulnerabilities        alpine:3.4             2021-01-18T14:37:39Z        682
vulnerabilities        alpine:3.5             2021-01-18T14:37:47Z        902
vulnerabilities        alpine:3.6             2021-01-18T14:36:53Z        1077
vulnerabilities        alpine:3.7             2021-01-18T14:37:01Z        1412
vulnerabilities        alpine:3.8             2021-01-18T14:37:48Z        1625
vulnerabilities        alpine:3.9             2021-01-18T14:37:31Z        1902
vulnerabilities        amzn:2                 2021-01-18T14:37:13Z        522
vulnerabilities        centos:5               2021-01-18T14:37:51Z        1347
vulnerabilities        centos:6               2021-01-18T14:37:19Z        1443
vulnerabilities        centos:7               2021-01-18T14:36:59Z        1208
vulnerabilities        centos:8               2021-01-18T14:37:24Z        457
vulnerabilities        debian:10              2021-01-18T14:37:36Z        24224
vulnerabilities        debian:11              2021-01-18T14:37:41Z        21545
vulnerabilities        debian:7               2021-01-18T14:37:21Z        20455
vulnerabilities        debian:8               2021-01-18T14:37:14Z        24058
vulnerabilities        debian:9               2021-01-18T14:37:22Z        24211
vulnerabilities        debian:unstable        2021-01-18T14:36:50Z        26015
vulnerabilities        ol:5                   2021-01-18T14:37:02Z        1255
vulnerabilities        ol:6                   2021-01-18T14:37:33Z        1613
vulnerabilities        ol:7                   2021-01-18T14:36:56Z        1431
vulnerabilities        ol:8                   2021-01-18T14:37:35Z        397
vulnerabilities        rhel:5                 2021-01-18T14:37:50Z        7385
vulnerabilities        rhel:6                 2021-01-18T14:36:47Z        7242
vulnerabilities        rhel:7                 2021-01-18T14:37:26Z        6655
vulnerabilities        rhel:8                 2021-01-18T14:36:58Z        2439
vulnerabilities        ubuntu:12.04           2021-01-18T14:37:40Z        14962
vulnerabilities        ubuntu:12.10           2021-01-18T14:37:16Z        5652
vulnerabilities        ubuntu:13.04           2021-01-18T14:37:17Z        4127
vulnerabilities        ubuntu:14.04           2021-01-18T14:37:05Z        23790
vulnerabilities        ubuntu:14.10           2021-01-18T14:36:49Z        4456
vulnerabilities        ubuntu:15.04           2021-01-18T14:37:04Z        5995
vulnerabilities        ubuntu:15.10           2021-01-18T14:36:55Z        6513
vulnerabilities        ubuntu:16.04           2021-01-18T14:37:11Z        20908
vulnerabilities        ubuntu:16.10           2021-01-18T14:37:32Z        8647
vulnerabilities        ubuntu:17.04           2021-01-18T14:37:09Z        9157
vulnerabilities        ubuntu:17.10           2021-01-18T14:36:52Z        7943
vulnerabilities        ubuntu:18.04           2021-01-18T14:37:53Z        15170
vulnerabilities        ubuntu:18.10           2021-01-18T14:37:54Z        8399
vulnerabilities        ubuntu:19.04           2021-01-18T14:37:06Z        8668
vulnerabilities        ubuntu:19.10           2021-01-18T14:37:44Z        8429
vulnerabilities        ubuntu:20.04           2021-01-18T14:37:08Z        9020

Is there something I do wrong such that I don't see any improvements?

Thank you!

StefanCenusa commented 3 years ago

I've tried it out with grype too, freshly installed.

Base image:

grype docker.io/stefancenusa/normal-pancake:base

 ✔ Vulnerability DB     [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged image      [515 packages]
 ✔ Scanned image        [168 vulnerabilities]

NAME               INSTALLED              FIXED-IN  VULNERABILITY        SEVERITY   
dot-prop           4.2.0                  4.2.1     GHSA-ff7x-qrg7-qggm  High        
dot-prop           4.2.0                            CVE-2020-8116        High        
editor             1.0.0                            CVE-2015-0903        High           
ini                1.3.5                            CVE-2020-7788        High          
libblkid1          2.29.2-1+deb9u1                  CVE-2016-2779        High        
libbz2-1.0         1.0.6-8.1                        CVE-2019-12900       High         
libc-bin           2.24-11+deb9u4                   CVE-2018-6485        High        
libc-bin           2.24-11+deb9u4                   CVE-2018-6551        High            
libc-bin           2.24-11+deb9u4                   CVE-2018-1000001     High        
libc-bin           2.24-11+deb9u4                   CVE-2019-9169        High           
libc-bin           2.24-11+deb9u4                   CVE-2019-25013       High        
libc6              2.24-11+deb9u4                   CVE-2018-6485        High        
libc6              2.24-11+deb9u4                   CVE-2018-6551        High           
libc6              2.24-11+deb9u4                   CVE-2018-1000001     High        
libc6              2.24-11+deb9u4                   CVE-2019-9169        High         
libc6              2.24-11+deb9u4                   CVE-2019-25013       High         
libfdisk1          2.29.2-1+deb9u1                  CVE-2016-2779        High         
libmount1          2.29.2-1+deb9u1                  CVE-2016-2779        High        
libsmartcols1      2.29.2-1+deb9u1                  CVE-2016-2779        High        
libuuid1           2.29.2-1+deb9u1                  CVE-2016-2779        High        
login              1:4.4-4.1                        CVE-2017-12424       High          
mount              2.29.2-1+deb9u1                  CVE-2016-2779        High         
multiarch-support  2.24-11+deb9u4                   CVE-2018-6485        High        
multiarch-support  2.24-11+deb9u4                   CVE-2018-6551        High          
multiarch-support  2.24-11+deb9u4                   CVE-2018-1000001     High        
multiarch-support  2.24-11+deb9u4                   CVE-2019-9169        High        
multiarch-support  2.24-11+deb9u4                   CVE-2019-25013       High                
npm-user-validate  1.0.0                            CVE-2020-7754        High        
passwd             1:4.4-4.1                        CVE-2017-12424       High         
rc                 1.2.8                            CVE-2014-1936        High        
tar                4.4.13                           CVE-2007-4476        High        
util-linux         2.29.2-1+deb9u1                  CVE-2016-2779        High        
y18n               3.2.1                            CVE-2020-7774        High        
y18n               4.0.0                            CVE-2020-7774        High

Now the 1.0.1 version, with some npm packages installed:

grype docker.io/stefancenusa/normal-pancake:1.0.1

 ✔ Vulnerability DB     [no update available]
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged image      [543 packages]
 ✔ Scanned image        [197 vulnerabilities]

NAME               INSTALLED              FIXED-IN  VULNERABILITY        SEVERITY   
app                1.0.0                            CVE-2018-13661       High         
bson                                                CVE-2015-4411        High        
bson               1.1.5                            CVE-2015-4411        High        
cookie             0.4.0                            CVE-2017-18589       High        
dot-prop           4.2.0                  4.2.1     GHSA-ff7x-qrg7-qggm  High        
dot-prop           4.2.0                            CVE-2020-8116        High        
editor             1.0.0                            CVE-2015-0903        High            
ini                1.3.5                            CVE-2020-7788        High          
libblkid1          2.29.2-1+deb9u1                  CVE-2016-2779        High        
libbz2-1.0         1.0.6-8.1                        CVE-2019-12900       High         
libc-bin           2.24-11+deb9u4                   CVE-2018-6485        High        
libc-bin           2.24-11+deb9u4                   CVE-2018-6551        High              
libc-bin           2.24-11+deb9u4                   CVE-2018-1000001     High        
libc-bin           2.24-11+deb9u4                   CVE-2019-9169        High         
libc-bin           2.24-11+deb9u4                   CVE-2019-25013       High            
libc6              2.24-11+deb9u4                   CVE-2018-6485        High        
libc6              2.24-11+deb9u4                   CVE-2018-6551        High              
libc6              2.24-11+deb9u4                   CVE-2018-1000001     High        
libc6              2.24-11+deb9u4                   CVE-2019-9169        High         
libc6              2.24-11+deb9u4                   CVE-2019-25013       High             
libfdisk1          2.29.2-1+deb9u1                  CVE-2016-2779        High          
libmount1          2.29.2-1+deb9u1                  CVE-2016-2779        High        
libsmartcols1      2.29.2-1+deb9u1                  CVE-2016-2779        High        
libuuid1           2.29.2-1+deb9u1                  CVE-2016-2779        High         
login              1:4.4-4.1                        CVE-2017-12424       High          
mongodb            3.6.1                            CVE-2017-18381       Critical    
mongodb            3.6.1                            CVE-2017-2665        High           
mongodb            3.6.1                            CVE-2019-2390        High        
mongodb            3.6.1                            CVE-2019-2386        High          
mongodb            3.6.1                            CVE-2019-20925       High        
mount              2.29.2-1+deb9u1                  CVE-2016-2779        High          
multiarch-support  2.24-11+deb9u4                   CVE-2018-6485        High        
multiarch-support  2.24-11+deb9u4                   CVE-2018-6551        High             
multiarch-support  2.24-11+deb9u4                   CVE-2018-1000001     High        
multiarch-support  2.24-11+deb9u4                   CVE-2019-9169        High           
multiarch-support  2.24-11+deb9u4                   CVE-2019-25013       High                
npm-user-validate  1.0.0                            CVE-2020-7754        High        
passwd             1:4.4-4.1                        CVE-2017-12424       High        
rc                 1.2.8                            CVE-2014-1936        High        
redis              3.0.2                            CVE-2018-11219       Critical    
redis              3.0.2                            CVE-2018-12326       High        
redis              3.0.2                            CVE-2018-12453       High         
redis              3.0.2                            CVE-2015-8080        High        
redis              3.0.2                            CVE-2016-10517       High        
redis              3.0.2                            CVE-2019-10192       High        
redis              3.0.2                            CVE-2019-10193       High        
redis              3.0.2                            CVE-2018-11218       Critical    
redis              3.0.2                            CVE-2020-14147       High        
tar                4.4.13                           CVE-2007-4476        High        
util-linux         2.29.2-1+deb9u1                  CVE-2016-2779        High        
y18n               4.0.0                            CVE-2020-7774        High        
y18n               3.2.1                            CVE-2020-7774        High

Unfortunately, multiple major FPs are still present.

zhill commented 3 years ago

Thanks @StefanCenusa we're looking at these in 2 categories: incorrect ecosystem (e.g. redis server vs redis clients for python, ruby ,etc) and some duplicate entries in the SBoM due to distros re-packaging application packages (e.g. python stuff) in a way that our detectors see 2 packages when it should really only be one package with a version update indicating backports were made by the distro vendor instead of upstream. Most of that work will be happening in the Grype project which we'll be integrating into Engine in the next feature release, so keep an eye there (also makes it easier to test :) ). Thanks for the data points and good detail here, we know these can be hard to deal with so we're working on improvements.

StefanCenusa commented 3 years ago

Got it, thanks for the explanation! Unfortunately, these FPs are a real pain when scanning all running images from multiple kubernetes clusters. You end up with hundreds of High or Critical vulnerabilities triggered by these client libs of redis/mongodb. A global policy to whitelisting them is not an option, since there could be cases where someone deploys a vulnerable server, thus a security issue is overlooked. We'll wait for the next release 🤞🏻

Just for a clarification: when you say that Grype will be integrated into Engine, this means that anchore-engine will still be maintained and will not split in separate projects, right?