hideme4u
commented
2 years ago @afdesk @masahiro331 @knqyf263 How Scanner code itself has vulnerabilities that should be fixed?
Closed hideme4u closed 2 years ago
hideme4u
commented
2 years ago @afdesk @masahiro331 @knqyf263 How Scanner code itself has vulnerabilities that should be fixed?
afdesk
commented
2 years ago @hideme4u thanks for your report! I'm checking it
upd: I can reproduce this issue for trivy v0.21.1:
$ trivy -d fs --skip-dirs pkg --skip-dirs integration --skip-dirs examples .I see problems with next packages: github.com/apache/thrift, github.com/buger/jsonparser, github.com/dgrijalva/jwt-go, github.com/gorilla/handlers, github.com/miekg/dns, github.com/sassoftware/go-rpmutils, github.com/satori/go.uuid and k8s.io/kubernetes.
but the main module does not need these modules. it seems they're used for tests.
hideme4u
commented
2 years ago @afdesk Thanks for Checking. But how do you verified they are used only for test not in main module? Can you please help?
afdesk
commented
2 years ago @hideme4u oh, maybe i missed something. give me some time
hideme4u
commented
2 years ago @afdesk are you fixing this? Please let us know. Thanks for the reply.
afdesk
commented
2 years ago @hideme4u yes, I'm investigating it. sure, I'll let you know about the results soon.
afdesk
commented
2 years ago @hideme4u
thanks for your report about vulnerabilities in trivy.
I investigated these vulns, and our team discussed the result.
at first, trivy doesn't directly use modules with vulnerabilities.
but there are dependencies which contain other dependencies with vulnerabilities. the some of these dependencies don't completely affect us. the another part is known and takes a time to change it. we'll do it shortly.
afdesk
commented
2 years ago we investigated more this issue.
trivy without examples and integration tests:
$ trivy -d fs --skip-dirs integration/ --skip-dirs examples/ .and found 5 packages with vulnerability: github.com/apache/thrift, github.com/dgrijalva/jwt-go, github.com/miekg/dns, github.com/satori/go.uuid and k8s.io/kubernetes.
. I've built the last version of trivy:
$ go build cmd/trivy/main.go./main:
$ go version -m ./main | grep thrift
$ go version -m ./main | grep dgrijalva
$ go version -m ./main | grep dns
$ go version -m ./main | grep satori
$ go version -m ./main | grep kubernetestrivy executable files doesn't contain dependencies with vulnerabilities.
maybe should we close this issue? ;)
github-actions[bot]
commented
2 years ago This issue is stale because it has been labeled with inactivity.
Description
Trivy source code when scan using Trivy binary is showing few Vulnerabilities in it.
What did you expect to happen?
In Trivy scanner code there should not be any vulnerabilities.
What happened instead?
Trivy scanner showed vulnerabilities in it's own code base.
Output of run with
-debug:Output of
trivy -v:trivy -v Version: 0.20.0 Vulnerability DB:
go.sum (gomod)
Total: 22 (UNKNOWN: 2, LOW: 0, MEDIUM: 12, HIGH: 8, CRITICAL: 0)
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+ | github.com/apache/thrift | CVE-2019-0205 | HIGH | 0.12.0 | 0.13.0 | thrift: Endless loop when | | | | | | | feed with specific input data | | | | | | | -->avd.aquasec.com/nvd/cve-2019-0205 |
kubectl cp... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1002101 |Additional details (base image name, container registry info...):