search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.29k stars 2.2k forks source link

False negative on CVE-2021-37714 #1484

Closed StephGit closed 2 years ago

StephGit commented 2 years ago

Description

I have different scan results with trivy:v0.19.2 and trivy:0.21.2 on the same image. This leads to uncertainty. Maybe I understand something wrong...

What did you expect to happen?

CVE-2021-37714 to show up on both trivy-versions

What happened instead?

CVE-2021-37714 only shows up on trivy:v0.19.2

Output of run with -debug:

scan with v0.19.2 -> CVE-2021-37714 shows up:

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.19.2 --severity HIGH,CRITICAL my-image
2021-12-16T11:36:30.030Z    DEBUG   Severities: HIGH,CRITICAL
2021-12-16T11:36:30.033Z    DEBUG   cache dir:  /root/.cache/trivy
2021-12-16T11:36:30.033Z    DEBUG   DB update was skipped because DB is the latest
2021-12-16T11:36:30.033Z    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-12-16 06:40:53.585368258 +0000 UTC, NextUpdate: 2021-12-16 12:40:53.585367658 +0000 UTC, DownloadedAt: 2021-12-16 10:02:24.745767977 +0000 UTC
2021-12-16T11:36:30.033Z    DEBUG   Vulnerability type:  [os library]
2021-12-16T11:36:30.036Z    DEBUG   Image ID: sha256:$$removed$$
2021-12-16T11:36:30.036Z    DEBUG   Diff IDs: [sha256:$$removed$$ sha256:$$removed$$ sha256:$$removed$$ sha256:$$removed$$]
2021-12-16T11:36:30.048Z    INFO    Detected OS: redhat
2021-12-16T11:36:30.048Z    INFO    Detecting RHEL/CentOS vulnerabilities...
2021-12-16T11:36:30.048Z    DEBUG   redhat: os version: 7
2021-12-16T11:36:30.048Z    DEBUG   redhat: the number of packages: 302
2021-12-16T11:36:30.074Z    INFO    Number of language-specific files: 61
2021-12-16T11:36:30.074Z    INFO    Detecting jar vulnerabilities...
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/lib/java/hawtjni/hawtjni-runtime.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/lib/java/jansi-native/jansi-linux64.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/lib/java/jansi-native/jansi-native.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/jsr-305.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/org.eclipse.sisu.inject.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/org.eclipse.sisu.plexus.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/plexus/interpolation.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/plexus/plexus-cipher.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/plexus/plexus-sec-dispatcher.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/plexus/utils.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/commons-cli.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/guava/failureaccess.jar
2021-12-16T11:36:30.074Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/guava/guava.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/jsoup/jsoup.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-wagon/file.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-wagon/http-shared.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-wagon/http.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-wagon/provider-api.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-artifact.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-builder-support.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-compat.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-core.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-embedder.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-settings-builder.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-model-builder.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-model.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-plugin-api.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-repository-metadata.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-resolver-provider.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-settings.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven/maven-slf4j-provider.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/apache-commons-lang3.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/cdi-api/cdi-api.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/commons-io.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-shared-utils/maven-shared-utils.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/geronimo-annotation.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/jansi/jansi.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-resolver/maven-resolver-transport-wagon.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-resolver/maven-resolver-util.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-resolver/maven-resolver-api.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-resolver/maven-resolver-connector-basic.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-resolver/maven-resolver-impl.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/maven-resolver/maven-resolver-spi.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/plexus-classworlds.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/plexus-containers/plexus-component-annotations.jar
2021-12-16T11:36:30.075Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/slf4j/jcl-over-slf4j.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/slf4j/slf4j-api.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/slf4j/slf4j-nop.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/slf4j/slf4j-simple.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/commons-codec.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/httpcomponents/httpclient.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/httpcomponents/httpcore-nio.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: opt/rh/rh-maven36/root/usr/share/java/httpcomponents/httpcore.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: usr/share/java/jolokia-jvm-agent/jolokia-jvm.jar
2021-12-16T11:36:30.076Z    DEBUG   Detecting library vulnerabilities, type: jar, path: usr/share/java/prometheus-jmx-exporter/jmx_prometheus_javaagent.jar

my-image
=========================================================================================
Total: 5 (HIGH: 3, CRITICAL: 2)

+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| glib2        | CVE-2015-8385    | HIGH     | 2.56.1-9.el7_9    |               | pcre: buffer overflow caused            |
|              |                  |          |                   |               | by named forward reference              |
|              |                  |          |                   |               | to duplicate group number...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2015-8385    |
+              +------------------+          +                   +---------------+-----------------------------------------+
|              | CVE-2016-3191    |          |                   |               | pcre: workspace overflow for            |
|              |                  |          |                   |               | (*ACCEPT) with deeply nested            |
|              |                  |          |                   |               | parentheses (8.39/13, 10.22/12)         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2016-3191    |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| glibc        | CVE-2019-1010022 | CRITICAL | 2.17-325.el7_9    |               | glibc: stack guard protection bypass    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+--------------+                  +          +                   +---------------+                                         +
| glibc-common |                  |          |                   |               |                                         |
|              |                  |          |                   |               |                                         |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| sqlite       | CVE-2019-5827    | HIGH     | 3.7.17-8.el7_7.1  |               | sqlite: out-of-bounds access            |
|              |                  |          |                   |               | due to the use of 32-bit                |
|              |                  |          |                   |               | memory allocator interfaces...          |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5827    |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+

opt/rh/rh-maven36/root/usr/share/java/jsoup/jsoup.jar (jar)
===========================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY     | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.jsoup:jsoup | CVE-2021-37714   | HIGH     | 1.12.1            | 1.14.2        | jsoup: Crafted input may cause the    |
|                 |                  |          |                   |               | jsoup HTML and XML parser to...       |
|                 |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-37714 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+

scan with v0.21.2 

 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
    -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.21.2 --severity HIGH,CRITICAL my-image
2021-12-16T11:34:16.494Z    DEBUG   Severities: HIGH,CRITICAL
2021-12-16T11:34:16.496Z    DEBUG   cache dir:  /root/.cache/trivy
2021-12-16T11:34:16.496Z    DEBUG   DB update was skipped because DB is the latest
2021-12-16T11:34:16.496Z    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-12-16 06:40:53.585368258 +0000 UTC, NextUpdate: 2021-12-16 12:40:53.585367658 +0000 UTC, DownloadedAt: 2021-12-16 10:02:24.745767977 +0000 UTC
2021-12-16T11:34:16.496Z    DEBUG   Vulnerability type:  [os library]
2021-12-16T11:34:16.499Z    DEBUG   Image ID: sha256:$$removed$$
2021-12-16T11:34:16.499Z    DEBUG   Diff IDs: [sha256:$$removed$$ sha256:$$removed$$ sha256:$$removed$$ sha256:$$removed$$]
2021-12-16T11:34:16.504Z    INFO    Detected OS: redhat
2021-12-16T11:34:16.505Z    INFO    Detecting RHEL/CentOS vulnerabilities...
2021-12-16T11:34:16.505Z    DEBUG   redhat: os version: 7
2021-12-16T11:34:16.505Z    DEBUG   redhat: the number of packages: 302
2021-12-16T11:34:16.518Z    INFO    Number of language-specific files: 0

my-image
=========================================================================================
Total: 5 (HIGH: 3, CRITICAL: 2)

+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| glib2        | CVE-2015-8385    | HIGH     | 2.56.1-9.el7_9    |               | pcre: buffer overflow caused            |
|              |                  |          |                   |               | by named forward reference              |
|              |                  |          |                   |               | to duplicate group number...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2015-8385    |
+              +------------------+          +                   +---------------+-----------------------------------------+
|              | CVE-2016-3191    |          |                   |               | pcre: workspace overflow for            |
|              |                  |          |                   |               | (*ACCEPT) with deeply nested            |
|              |                  |          |                   |               | parentheses (8.39/13, 10.22/12)         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2016-3191    |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| glibc        | CVE-2019-1010022 | CRITICAL | 2.17-325.el7_9    |               | glibc: stack guard protection bypass    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+--------------+                  +          +                   +---------------+                                         +
| glibc-common |                  |          |                   |               |                                         |
|              |                  |          |                   |               |                                         |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| sqlite       | CVE-2019-5827    | HIGH     | 3.7.17-8.el7_7.1  |               | sqlite: out-of-bounds access            |
|              |                  |          |                   |               | due to the use of 32-bit                |
|              |                  |          |                   |               | memory allocator interfaces...          |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5827    |
+--------------+------------------+----------+-------------------+---------------+-----------------------------------------+
AndreyLevchenko commented 2 years ago

Hi @StephGit Thank you for bringing this up I did some testing and I was unable to reproduce it with dockerfile like

FROM centos:centos7
COPY *.jar /opt/rh/rh-maven36/root/usr/share/java/jsoup/
ENTRYPOINT ["/bin/sh"]

and jsoup-1.12.1.jar Could you please check if you can reproduce it with my dockerfile?

Thanks Andrey

StephGit commented 2 years ago

Hi @AndreyLevchenko

Nope, couldn't reproduce it. In both versions the CVE shows up.

Do you have an idea what this issue could cause?

AndreyLevchenko commented 2 years ago

Hi @StephGit this is good question. I suspect it's some cache issue

StephGit commented 2 years ago

Hi @AndreyLevchenko

It seems that Trivy scans all the Artifacts even if the CVE's are allready fixed by a parent repo (for example rpm) With usage of --vuln-type os it works fine with 0.19.2