search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.8k stars 2.34k forks source link

Ubuntu ESM support #1663

Closed skothandan closed 1 year ago

skothandan commented 2 years ago

Description

we run scanning for container images which uses OS ubuntu 16.04 using Trivy 0.23.0. It did not detect all vulnerabilities in OS libraries (supposed to detect the below CVE vulnerabilities which were detected in Tenable.io CS ) CVE-2021-3520 CVE-2017-8872 CVE-2021-3518 CVE-2021-3517 CVE-2021-25217 CVE-2021-3541 CVE-2020-24977 CVE-2020-13529 CVE-2021-33910 CVE-2021-25219

What did you expect to happen?

It should have detected the all fixable and unfixable vulnerabilities for OS library.

What happened instead?

It detected only unfixed vulnerabilities and not above CVE's.

Output of run with -debug:

trivy -d image --list-all-pkgs --vuln-type os,library  rancher:5000/cst-pool:1.7

2022-02-01T07:02:31.889Z    DEBUG  Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-02-01T07:02:31.944Z    DEBUG  cache dir:  /home/raja/.cache/trivy
2022-02-01T07:02:31.947Z    DEBUG  DB update was skipped because the local DB was downloaded during the last hour
2022-02-01T07:02:31.947Z    DEBUG  DB Schema: 2, UpdatedAt: 2022-02-01 00:09:30.978200921 +0000 UTC, NextUpdate: 2022-02-01 06:09:30.978200821 +0000 UTC, DownloadedAt: 2022-02-01 06:03:18.202673282 +0000 UTC
2022-02-01T07:02:31.947Z    DEBUG  Vulnerability type:  [os]
2022-02-01T07:02:31.951Z    DEBUG  Image ID: sha256:41c6dc448dd831268d6b9735245728397385a5b63ca4bb74a689a0d501a873c7
2022-02-01T07:02:31.952Z    DEBUG  Diff IDs: [sha256:739482a9723dbee6dbdad6b669090e96d5f57e2aa27c131015cce8969d0d4efa sha256:e15278fccccab1f49ca48ed430acc3859d7a072a5cf1ca6491898ebc1035ec05 sha256:49652298c7790339b0d8f9ec4dd4692ace5edb1fba4aa6d8703d4c1943d43246 sha256:4c54072a50349809bcd1e8d196112308935a6cb41a6b3eff007a7a7a2a1d38f5 sha256:89ddbc58787993ae107abebea8f2780ea877efb83837c1f9036b88411e4bb7ac sha256:8c843b91d43f45ea0437722e15861c3b0112f57eb4a88e2ae90a45a02dafbfbc sha256:089d9b3a6645a6e7611190bb20d7ac4f5c7aa150e053f484636ca6076a6f2b46 sha256:b5b4824dea51fdedd2ef38e2036781eef9e1d3389b8b3221f75c486e03add0e9 sha256:05eb3f4a1e1c2942a60320bc3d6a493aebc016428c3aa79da79c5061e83e3383 sha256:ebf484259847b666e9be730ee00430c984c83d98d62e62cbff90c2cb4c818405 sha256:f7c9e8ecbb8edbe7c8d8b44778d8ad7155ea534ec2b5916d77b185ed2377a5d0 sha256:9dc2ee3f175bd822fba8c230e4002d35a6bfaf8509af60c4c65ce4959b201e5f sha256:671b779389e789d6454570801eb19e979c6ae9ea26a538eba23955cf102c8cae sha256:1f02d1b3a5eee148d9a22c4bd22ccedcf132e9f44817688b718fb81e00afb365 sha256:c2947fa685d65e566e42e54d48222207171c155262914d75e84cfc3c8cd4bf27 sha256:433b0e7c7775598254bfc01deaa69a6f7a52549a1c0f3a8b02d3dd3b57fb4550 sha256:3b7bc80b29b230a74917d84dfc70ee4dfda6b98b5283ecac7916a52566ca7c17 sha256:6ee01c20a2efe353a037d1eb66f1e18f8b3d3b3aa712bbf242b67a96f0a61904 sha256:476df25a0d88c6b7e733d524fa1c3c21aadc759d8dad838966af5f2b68d1a353 sha256:32d2dda69882edd53652f0092b9e3f90ea7cc1f292f037ea6eddf80abc622b3e]
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:32d2dda69882edd53652f0092b9e3f90ea7cc1f292f037ea6eddf80abc622b3e
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:739482a9723dbee6dbdad6b669090e96d5f57e2aa27c131015cce8969d0d4efa
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:e15278fccccab1f49ca48ed430acc3859d7a072a5cf1ca6491898ebc1035ec05
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:49652298c7790339b0d8f9ec4dd4692ace5edb1fba4aa6d8703d4c1943d43246
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:4c54072a50349809bcd1e8d196112308935a6cb41a6b3eff007a7a7a2a1d38f5
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:89ddbc58787993ae107abebea8f2780ea877efb83837c1f9036b88411e4bb7ac
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:8c843b91d43f45ea0437722e15861c3b0112f57eb4a88e2ae90a45a02dafbfbc
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:089d9b3a6645a6e7611190bb20d7ac4f5c7aa150e053f484636ca6076a6f2b46
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:b5b4824dea51fdedd2ef38e2036781eef9e1d3389b8b3221f75c486e03add0e9
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:05eb3f4a1e1c2942a60320bc3d6a493aebc016428c3aa79da79c5061e83e3383
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:ebf484259847b666e9be730ee00430c984c83d98d62e62cbff90c2cb4c818405
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:f7c9e8ecbb8edbe7c8d8b44778d8ad7155ea534ec2b5916d77b185ed2377a5d0
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:9dc2ee3f175bd822fba8c230e4002d35a6bfaf8509af60c4c65ce4959b201e5f
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:671b779389e789d6454570801eb19e979c6ae9ea26a538eba23955cf102c8cae
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:1f02d1b3a5eee148d9a22c4bd22ccedcf132e9f44817688b718fb81e00afb365
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:c2947fa685d65e566e42e54d48222207171c155262914d75e84cfc3c8cd4bf27
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:433b0e7c7775598254bfc01deaa69a6f7a52549a1c0f3a8b02d3dd3b57fb4550
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:3b7bc80b29b230a74917d84dfc70ee4dfda6b98b5283ecac7916a52566ca7c17
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:6ee01c20a2efe353a037d1eb66f1e18f8b3d3b3aa712bbf242b67a96f0a61904
2022-02-01T07:02:31.954Z    DEBUG  Missing diff ID: sha256:476df25a0d88c6b7e733d524fa1c3c21aadc759d8dad838966af5f2b68d1a353
2022-02-01T07:03:24.112Z    INFO   Detected OS: ubuntu
2022-02-01T07:03:24.121Z    INFO   Detecting Ubuntu vulnerabilities...
2022-02-01T07:03:24.121Z    DEBUG  ubuntu: os version: 16.04
2022-02-01T07:03:24.121Z    DEBUG  ubuntu: the number of packages: 204

rancher:5000/cstor-pool:1.7.0-3122021 (ubuntu 16.04)
====================================================
Total: 19 (UNKNOWN: 0, LOW: 10, MEDIUM: 9, HIGH: 0, CRITICAL: 0)

+----------------------+------------------+----------+-------------------------+---------------+---------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY |    INSTALLED VERSION    | FIXED VERSION |                 TITLE                 |
+----------------------+------------------+----------+-------------------------+---------------+---------------------------------------+
| libc-bin             | CVE-2021-38604   | MEDIUM   | 2.23-0ubuntu11.3        |               | glibc: NULL pointer dereference in    |
|                      |                  |          |                         |               | helper_thread() in mq_notify.c while  |
|                      |                  |          |                         |               | handling NOTIFY_REMOVED messages...   |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-38604 |
+                      +------------------+----------+                         +---------------+---------------------------------------+
|                      | CVE-2021-33574   | LOW      |                         |               | glibc: mq_notify does                 |
|                      |                  |          |                         |               | not handle separately                 |
|                      |                  |          |                         |               | allocated thread attributes           |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+                      +------------------+          +                         +---------------+---------------------------------------+
|                      | CVE-2021-35942   |          |                         |               | glibc: Arbitrary read in wordexp()    |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------------------+------------------+----------+                         +---------------+---------------------------------------+
| libc6                | CVE-2021-38604   | MEDIUM   |                         |               | glibc: NULL pointer dereference in    |
|                      |                  |          |                         |               | helper_thread() in mq_notify.c while  |
|                      |                  |          |                         |               | handling NOTIFY_REMOVED messages...   |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-38604 |
+                      +------------------+----------+                         +---------------+---------------------------------------+
|                      | CVE-2021-33574   | LOW      |                         |               | glibc: mq_notify does                 |
|                      |                  |          |                         |               | not handle separately                 |
|                      |                  |          |                         |               | allocated thread attributes           |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+                      +------------------+          +                         +---------------+---------------------------------------+
|                      | CVE-2021-35942   |          |                         |               | glibc: Arbitrary read in wordexp()    |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------------------+------------------+----------+                         +---------------+---------------------------------------+
| libc6-dbg            | CVE-2021-38604   | MEDIUM   |                         |               | glibc: NULL pointer dereference in    |
|                      |                  |          |                         |               | helper_thread() in mq_notify.c while  |
|                      |                  |          |                         |               | handling NOTIFY_REMOVED messages...   |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-38604 |
+                      +------------------+----------+                         +---------------+---------------------------------------+
|                      | CVE-2021-33574   | LOW      |                         |               | glibc: mq_notify does                 |
|                      |                  |          |                         |               | not handle separately                 |
|                      |                  |          |                         |               | allocated thread attributes           |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+                      +------------------+          +                         +---------------+---------------------------------------+
|                      | CVE-2021-35942   |          |                         |               | glibc: Arbitrary read in wordexp()    |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------------------+------------------+----------+-------------------------+---------------+---------------------------------------+
| libexpat1            | CVE-2022-23852   | MEDIUM   | 2.1.0-7ubuntu0.16.04.5  |               | expat: integer overflow               |
|                      |                  |          |                         |               | in function XML_GetBuffer             |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2022-23852 |
+                      +------------------+          +                         +---------------+---------------------------------------+
|                      | CVE-2022-23990   |          |                         |               | expat: integer overflow               |
|                      |                  |          |                         |               | in the doProlog function              |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2022-23990 |
+----------------------+------------------+          +-------------------------+---------------+---------------------------------------+
| libpython3.5         | CVE-2021-4189    |          | 3.5.2-2ubuntu0~16.04.13 |               | python: ftplib should not use         |
|                      |                  |          |                         |               | the host from the PASV response       |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-4189  |
+----------------------+                  +          +                         +---------------+                                       +
| libpython3.5-minimal |                  |          |                         |               |                                       |
|                      |                  |          |                         |               |                                       |
|                      |                  |          |                         |               |                                       |
+----------------------+                  +          +                         +---------------+                                       +
| libpython3.5-stdlib  |                  |          |                         |               |                                       |
|                      |                  |          |                         |               |                                       |
|                      |                  |          |                         |               |                                       |
+----------------------+------------------+----------+-------------------------+---------------+---------------------------------------+
| libssl1.0.0          | CVE-2021-3601    | LOW      | 1.0.2g-1ubuntu4.20      |               | openssl: Certificate with CA:FALSE    |
|                      |                  |          |                         |               | is accepted as valid CA cert          |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-3601  |
+----------------------+------------------+----------+-------------------------+---------------+---------------------------------------+
| multiarch-support    | CVE-2021-38604   | MEDIUM   | 2.23-0ubuntu11.3        |               | glibc: NULL pointer dereference in    |
|                      |                  |          |                         |               | helper_thread() in mq_notify.c while  |
|                      |                  |          |                         |               | handling NOTIFY_REMOVED messages...   |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-38604 |
+                      +------------------+----------+                         +---------------+---------------------------------------+
|                      | CVE-2021-33574   | LOW      |                         |               | glibc: mq_notify does                 |
|                      |                  |          |                         |               | not handle separately                 |
|                      |                  |          |                         |               | allocated thread attributes           |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+                      +------------------+          +                         +---------------+---------------------------------------+
|                      | CVE-2021-35942   |          |                         |               | glibc: Arbitrary read in wordexp()    |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------------------+------------------+          +-------------------------+---------------+---------------------------------------+
| openssl              | CVE-2021-3601    |          | 1.0.2g-1ubuntu4.20      |               | openssl: Certificate with CA:FALSE    |
|                      |                  |          |                         |               | is accepted as valid CA cert          |
|                      |                  |          |                         |               | -->avd.aquasec.com/nvd/cve-2021-3601  |
+----------------------+------------------+----------+-------------------------+---------------+---------------------------------------+

Output of trivy -v:

Version: 0.23.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-02-01 12:07:10.277680628 +0000 UTC
NextUpdate: 2022-02-01 18:07:10.277680528 +0000 UTC
DownloadedAt: 2022-02-01 13:27:07.358983528 +0000 UTC

Additional details (base image name, container registry info...):

afdesk commented 2 years ago

@skothandan thanks for your report! I took a look at CVE-2021-3518. the CVE affects on libxml2, but the image ubuntu:16.04 from Docker Hub doesn't contain this package. Could you tell us a way how you install packages for your image? maybe you can show Dockerfile... thanks a lot.

nomadicoder commented 2 years ago

Deleted reply to wrong issue -- Apologies

skothandan commented 2 years ago

@afdesk Thanks for quick response! We are unable to find the docker file now. so have uploaded the image (built from the docker file) into docker hub in the following path. https://hub.docker.com/r/mraja3007/imagescanning Could you try to narrow down the issue with this image. kindly highlight if you need any further information.

afdesk commented 2 years ago

@skothandan we took a look at the image mraja3007/imagescanning:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.7 LTS"
VERSION="16.04.7 LTS (Xenial Xerus)"

and then we took a look at the several of missed vulnerabilities. the CVEs have an ignored status for xenial:

"xenial": {
  "Status": "ignored",
  "Note": "end of standard support, was needs-triage"
}

so trivy doesn't detect these vulns.

afdesk commented 2 years ago

@skothandan also you can see all packages in json format:

$ trivy image --format json --output result.json --list-all-pkgs mraja3007/imagescanning:1.7.0

thanks for your report and help!

github-actions[bot] commented 2 years ago

This issue is stale because it has been labeled with inactivity.