Closed tonkapango closed 4 years ago
Thanks @tonkapango! I'm looking into it.
@tonkapango I believe this is showing up correctly in the vulnerability report (when you use the -r
flag to inline-scan, it generates several reports in a directory). The console/terminal output you see from inline-scan by default is a policy evaluation. Since Canonical currently has this listed with a low priority (https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13776.html) it won't show up in the policy evaluation by default because inline-scan ships with a rule that only triggers on medium or higher severity.
On June 23, Canonical reset severity from medium to low; before that it was listed as needs-triage, i.e., being researched.
I've copied out the relevant output for CVE-2020-13776 from the vulnerability report for your convenience:
...
{
"feed": "vulnerabilities",
"feed_group": "ubuntu:16.04",
"fix": "None",
"nvd_data": [
{
"cvss_v2": {
"base_score": 6.2,
"exploitability_score": 1.9,
"impact_score": 10.0
},
"cvss_v3": {
"base_score": 6.7,
"exploitability_score": 0.8,
"impact_score": 5.9
},
"id": "CVE-2020-13776"
}
],
"package": "libsystemd0-229-4ubuntu21.28",
"package_cpe": "None",
"package_cpe23": "None",
"package_name": "libsystemd0",
"package_path": "pkgdb",
"package_type": "dpkg",
"package_version": "229-4ubuntu21.28",
"severity": "Low",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
"vendor_data": [],
"vuln": "CVE-2020-13776"
},
...
{
"feed": "vulnerabilities",
"feed_group": "ubuntu:16.04",
"fix": "None",
"nvd_data": [
{
"cvss_v2": {
"base_score": 6.2,
"exploitability_score": 1.9,
"impact_score": 10.0
},
"cvss_v3": {
"base_score": 6.7,
"exploitability_score": 0.8,
"impact_score": 5.9
},
"id": "CVE-2020-13776"
}
],
"package": "libudev1-229-4ubuntu21.28",
"package_cpe": "None",
"package_cpe23": "None",
"package_name": "libudev1",
"package_path": "pkgdb",
"package_type": "dpkg",
"package_version": "229-4ubuntu21.28",
"severity": "Low",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
"vendor_data": [],
"vuln": "CVE-2020-13776"
},
...
{
"feed": "vulnerabilities",
"feed_group": "ubuntu:16.04",
"fix": "None",
"nvd_data": [
{
"cvss_v2": {
"base_score": 6.2,
"exploitability_score": 1.9,
"impact_score": 10.0
},
"cvss_v3": {
"base_score": 6.7,
"exploitability_score": 0.8,
"impact_score": 5.9
},
"id": "CVE-2020-13776"
}
],
"package": "systemd-229-4ubuntu21.28",
"package_cpe": "None",
"package_cpe23": "None",
"package_name": "systemd",
"package_path": "pkgdb",
"package_type": "dpkg",
"package_version": "229-4ubuntu21.28",
"severity": "Low",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
"vendor_data": [],
"vuln": "CVE-2020-13776"
},
...
{
"feed": "vulnerabilities",
"feed_group": "ubuntu:16.04",
"fix": "None",
"nvd_data": [
{
"cvss_v2": {
"base_score": 6.2,
"exploitability_score": 1.9,
"impact_score": 10.0
},
"cvss_v3": {
"base_score": 6.7,
"exploitability_score": 0.8,
"impact_score": 5.9
},
"id": "CVE-2020-13776"
}
],
"package": "systemd-sysv-229-4ubuntu21.28",
"package_cpe": "None",
"package_cpe23": "None",
"package_name": "systemd-sysv",
"package_path": "pkgdb",
"package_type": "dpkg",
"package_version": "229-4ubuntu21.28",
"severity": "Low",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
"vendor_data": [],
"vuln": "CVE-2020-13776"
},
...
The problem
With ubunut:16.04 looks like we are missing alert for CVE-2020-13776 on systemd that is vulnerable according to canonical.
Environment
anchore/inline-scan latest c97d1d2ed9ec 7 hours ago 5.9GB
target image: ubuntu 16.04 005d2078bdfa 6 weeks ago 125MB
Details
This ubuntu 16.04 standard image has (systemd 229-4ubuntu21.27) package which Canonical has an advisory with a "Medium" severity rating. https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13776.html.
though Canonical calls out needs to be triaged, this should still throw an alert.
Actual Behaviour
While there are number of alerts, we do not see one for CVE-2020-13776 for this version of systemd.
Expected Behaviour
We should see an alert for CVE-2020-13776 for systemd on this image; unless there is some logic suppressing unremediable alerts or very new alerts?
How do you reproduce the error?
thanks! nik