Closed hideme4u closed 2 years ago
@afdesk @masahiro331 @knqyf263 How Scanner code itself has vulnerabilities that should be fixed?
@hideme4u thanks for your report! I'm checking it
upd: I can reproduce this issue for trivy
v0.21.1:
$ trivy -d fs --skip-dirs pkg --skip-dirs integration --skip-dirs examples .
I see problems with next packages: github.com/apache/thrift
, github.com/buger/jsonparser
, github.com/dgrijalva/jwt-go
, github.com/gorilla/handlers
, github.com/miekg/dns
, github.com/sassoftware/go-rpmutils
, github.com/satori/go.uuid
and k8s.io/kubernetes
.
but the main module does not need these modules. it seems they're used for tests.
@afdesk Thanks for Checking. But how do you verified they are used only for test not in main module? Can you please help?
@hideme4u oh, maybe i missed something. give me some time
@afdesk are you fixing this? Please let us know. Thanks for the reply.
@hideme4u yes, I'm investigating it. sure, I'll let you know about the results soon.
@hideme4u
thanks for your report about vulnerabilities in trivy
.
I investigated these vulns, and our team discussed the result.
at first, trivy
doesn't directly use modules with vulnerabilities.
but there are dependencies which contain other dependencies with vulnerabilities. the some of these dependencies don't completely affect us. the another part is known and takes a time to change it. we'll do it shortly.
we investigated more this issue.
trivy
without examples and integration tests:
$ trivy -d fs --skip-dirs integration/ --skip-dirs examples/ .
and found 5 packages with vulnerability: github.com/apache/thrift
, github.com/dgrijalva/jwt-go
, github.com/miekg/dns
, github.com/satori/go.uuid
and k8s.io/kubernetes
.
. I've built the last version of trivy
:
$ go build cmd/trivy/main.go
./main
:
$ go version -m ./main | grep thrift
$ go version -m ./main | grep dgrijalva
$ go version -m ./main | grep dns
$ go version -m ./main | grep satori
$ go version -m ./main | grep kubernetes
trivy
executable files doesn't contain dependencies with vulnerabilities.
maybe should we close this issue? ;)
This issue is stale because it has been labeled with inactivity.
Description
Trivy source code when scan using Trivy binary is showing few Vulnerabilities in it.
What did you expect to happen?
In Trivy scanner code there should not be any vulnerabilities.
What happened instead?
Trivy scanner showed vulnerabilities in it's own code base.
Output of run with
-debug
:Output of
trivy -v
:trivy -v Version: 0.20.0 Vulnerability DB:
go.sum (gomod)
Total: 22 (UNKNOWN: 2, LOW: 0, MEDIUM: 12, HIGH: 8, CRITICAL: 0)
+------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------------------+------------------+----------+-----------------------------------+---------------------------------------+-----------------------------------------+ | github.com/apache/thrift | CVE-2019-0205 | HIGH | 0.12.0 | 0.13.0 | thrift: Endless loop when | | | | | | | feed with specific input data | | | | | | | -->avd.aquasec.com/nvd/cve-2019-0205 |
kubectl cp
... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1002101 |Additional details (base image name, container registry info...):