False Negative vulnerability

[tonkapango]

The problem

With ubunut:16.04 looks like we are missing alert for CVE-2020-13776 on systemd that is vulnerable according to canonical.

Environment

anchore/inline-scan latest c97d1d2ed9ec 7 hours ago 5.9GB

target image: ubuntu 16.04 005d2078bdfa 6 weeks ago 125MB

Details

This ubuntu 16.04 standard image has (systemd 229-4ubuntu21.27) package which Canonical has an advisory with a "Medium" severity rating. https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13776.html.

though Canonical calls out needs to be triaged, this should still throw an alert.

Actual Behaviour

While there are number of alerts, we do not see one for CVE-2020-13776 for this version of systemd.

Expected Behaviour

We should see an alert for CVE-2020-13776 for systemd on this image; unless there is some logic suppressing unremediable alerts or very new alerts?

How do you reproduce the error?

1. $ docker pull ubuntu:16.04
2. scan with inline-scan and view how CVE-2020-13776 is not in the list
3. docker run -it ubunut:16.04 /bin/bash
4. dpkg -l systemd this confirms the version.

thanks! nik

[robertp]

Thanks @tonkapango! I'm looking into it.

[robertp]

@tonkapango I believe this is showing up correctly in the vulnerability report (when you use the -r flag to inline-scan, it generates several reports in a directory). The console/terminal output you see from inline-scan by default is a policy evaluation. Since Canonical currently has this listed with a low priority (https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13776.html) it won't show up in the policy evaluation by default because inline-scan ships with a rule that only triggers on medium or higher severity.

On June 23, Canonical reset severity from medium to low; before that it was listed as needs-triage, i.e., being researched.

I've copied out the relevant output for CVE-2020-13776 from the vulnerability report for your convenience:

    ...
    {
        "feed": "vulnerabilities",
        "feed_group": "ubuntu:16.04",
        "fix": "None",
        "nvd_data": [
            {
                "cvss_v2": {
                    "base_score": 6.2,
                    "exploitability_score": 1.9,
                    "impact_score": 10.0
                },
                "cvss_v3": {
                    "base_score": 6.7,
                    "exploitability_score": 0.8,
                    "impact_score": 5.9
                },
                "id": "CVE-2020-13776"
            }
        ],
        "package": "libsystemd0-229-4ubuntu21.28",
        "package_cpe": "None",
        "package_cpe23": "None",
        "package_name": "libsystemd0",
        "package_path": "pkgdb",
        "package_type": "dpkg",
        "package_version": "229-4ubuntu21.28",
        "severity": "Low",
        "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
        "vendor_data": [],
        "vuln": "CVE-2020-13776"
    },
   ...
    {
        "feed": "vulnerabilities",
        "feed_group": "ubuntu:16.04",
        "fix": "None",
        "nvd_data": [
            {
                "cvss_v2": {
                    "base_score": 6.2,
                    "exploitability_score": 1.9,
                    "impact_score": 10.0
                },
                "cvss_v3": {
                    "base_score": 6.7,
                    "exploitability_score": 0.8,
                    "impact_score": 5.9
                },
                "id": "CVE-2020-13776"
            }
        ],
        "package": "libudev1-229-4ubuntu21.28",
        "package_cpe": "None",
        "package_cpe23": "None",
        "package_name": "libudev1",
        "package_path": "pkgdb",
        "package_type": "dpkg",
        "package_version": "229-4ubuntu21.28",
        "severity": "Low",
        "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
        "vendor_data": [],
        "vuln": "CVE-2020-13776"
    },
   ...
    {
        "feed": "vulnerabilities",
        "feed_group": "ubuntu:16.04",
        "fix": "None",
        "nvd_data": [
            {
                "cvss_v2": {
                    "base_score": 6.2,
                    "exploitability_score": 1.9,
                    "impact_score": 10.0
                },
                "cvss_v3": {
                    "base_score": 6.7,
                    "exploitability_score": 0.8,
                    "impact_score": 5.9
                },
                "id": "CVE-2020-13776"
            }
        ],
        "package": "systemd-229-4ubuntu21.28",
        "package_cpe": "None",
        "package_cpe23": "None",
        "package_name": "systemd",
        "package_path": "pkgdb",
        "package_type": "dpkg",
        "package_version": "229-4ubuntu21.28",
        "severity": "Low",
        "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
        "vendor_data": [],
        "vuln": "CVE-2020-13776"
    },
    ...
    {
        "feed": "vulnerabilities",
        "feed_group": "ubuntu:16.04",
        "fix": "None",
        "nvd_data": [
            {
                "cvss_v2": {
                    "base_score": 6.2,
                    "exploitability_score": 1.9,
                    "impact_score": 10.0
                },
                "cvss_v3": {
                    "base_score": 6.7,
                    "exploitability_score": 0.8,
                    "impact_score": 5.9
                },
                "id": "CVE-2020-13776"
            }
        ],
        "package": "systemd-sysv-229-4ubuntu21.28",
        "package_cpe": "None",
        "package_cpe23": "None",
        "package_name": "systemd-sysv",
        "package_path": "pkgdb",
        "package_type": "dpkg",
        "package_version": "229-4ubuntu21.28",
        "severity": "Low",
        "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13776",
        "vendor_data": [],
        "vuln": "CVE-2020-13776"
    },
   ...