Closed Starttoaster closed 7 months ago
It is really annoying to see this showing up now as vulnerability in every image when doing a rootfs scan using the trivy operator now...
I would like to mention that I am on the latest release
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
trivy-operator trivy-operator 47 2024-04-22 14:37:46.65427854 +0200 CEST deployed trivy-operator-0.22.0 0.20.0
From my understand this fix should be included in v0.20.0. However, it is still showing up in every scan. I have manually excluded it now until further notice using
# ignoreFile: ~
ignoreFile:
- CVE-2024-3817
I see it is coming from ghcr.io/aquasecurity/trivy:0.50.1
trivy image --ignore-unfixed ghcr.io/aquasecurity/trivy:0.50.1
2024-04-22T14:51:14.757+0200 INFO Vulnerability scanning is enabled
2024-04-22T14:51:14.757+0200 INFO Secret scanning is enabled
2024-04-22T14:51:14.757+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-22T14:51:14.757+0200 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-04-22T14:51:17.178+0200 INFO Detected OS: alpine
2024-04-22T14:51:17.178+0200 INFO Detecting Alpine vulnerabilities...
2024-04-22T14:51:17.184+0200 INFO Number of language-specific files: 1
2024-04-22T14:51:17.184+0200 INFO Detecting gobinary vulnerabilities...
ghcr.io/aquasecurity/trivy:0.50.1 (alpine 3.19.1)
Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-2511 │ LOW │ fixed │ 3.1.4-r5 │ 3.1.4-r6 │ openssl: Unbounded memory growth with session handling in │
│ │ │ │ │ │ │ TLSv1.3 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2511 │
├────────────┤ │ │ │ │ │ │
│ libssl3 │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
usr/local/bin/trivy (gobinary)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 1)
┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-3817 │ CRITICAL │ fixed │ v1.7.3 │ 1.7.4 │ HashiCorp\u2019s go-getter library is vulnerable to argument │
│ │ │ │ │ │ │ injection ... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3817 │
├────────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM │ │ v0.21.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
@rgarcia89 its true, its fixed in trivy-operator
but not in trivy yet. should be fixed with next trivy
version one it will be out, I'll bump trivy version in trivy-operator
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
See the module entry in go.mod: https://github.com/aquasecurity/trivy-operator/blob/main/go.mod#L173
https://avd.aquasec.com/nvd/2024/cve-2024-3817/ https://nvd.nist.gov/vuln/detail/CVE-2024-3817
This is being classed with a CVE score of 9.8, so this is just a request to update that dependency. Where that vulnerability is apparently resolved in v1.7.4. https://github.com/hashicorp/go-getter/releases/tag/v1.7.4