search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.68k stars 2.33k forks source link

False Positives being reported from Trivy 0.24.2 - oraclelinux:8 image #1967

Open istaveren opened 2 years ago

istaveren commented 2 years ago

Description

When you scan an oraclelinux:8 image

What did you expect to happen?

There should not be any issue

It thinks I need 10:1.8.5-6.el8_fips -> https://linux.oracle.com/errata/ELSA-2022-9263.html Where https://github.com/aquasecurity/vuln-list/blob/main/oval/oracle/2021/ELSA-2021-4409.json looks ok.

Related to #issue 736

What happened instead?

I got vulnerabilities

$ trivy i oraclelinux:8
2022-04-08T14:47:57.903Z    INFO    Detected OS: oracle
2022-04-08T14:47:57.903Z    INFO    Detecting Oracle Linux vulnerabilities...
2022-04-08T14:47:57.910Z    INFO    Number of language-specific files: 0

oraclelinux:8 (oracle 8.5)
==========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |      FIXED VERSION       |                 TITLE                 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| gnutls    | CVE-2021-20231   | MEDIUM   | 3.6.16-4.el8      | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in             |
|           |                  |          |                   |                          | client key_share extension            |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20231 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-20232   |          |                   |                          | gnutls: Use after free                |
|           |                  |          |                   |                          | in client_send_params in              |
|           |                  |          |                   |                          | lib/ext/pre_shared_key.c              |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20232 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-3580    |          |                   |                          | nettle: Remote crash                  |
|           |                  |          |                   |                          | in RSA decryption via                 |
|           |                  |          |                   |                          | manipulated ciphertext                |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-3580  |
+-----------+------------------+          +-------------------+--------------------------+---------------------------------------+
| libgcrypt | CVE-2021-33560   |          | 1.8.5-6.el8       | 10:1.8.5-6.el8_fips      | libgcrypt: mishandles ElGamal         |
|           |                  |          |                   |                          | encryption because it lacks           |
|           |                  |          |                   |                          | exponent blinding to address a...     |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+

Output of run with -debug:

$ trivy --debug i oraclelinux:8        
2022-04-08T14:48:41.466Z    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-08T14:48:41.468Z    DEBUG   cache dir:  /home/scanner/.cache/trivy
2022-04-08T14:48:41.468Z    DEBUG   DB update was skipped because the local DB is the latest
2022-04-08T14:48:41.469Z    DEBUG   DB Schema: 2, UpdatedAt: 2022-04-08 12:06:46.349271271 +0000 UTC, NextUpdate: 2022-04-08 18:06:46.349271071 +0000 UTC, DownloadedAt: 2022-04-08 13:50:49.650469224 +0000 UTC
2022-04-08T14:48:41.469Z    DEBUG   Vulnerability type:  [os library]
2022-04-08T14:48:44.980Z    DEBUG   Image ID: sha256:e6ca9618a97becacf7688f253c089da43cd8b041f9084b850746567b5553148e
2022-04-08T14:48:44.980Z    DEBUG   Diff IDs: [sha256:ca93c0cdf7fc9a33979ba26402ef52dafa075236d2c69adacf11e935bdcd2fa5]
2022-04-08T14:48:44.985Z    INFO    Detected OS: oracle
2022-04-08T14:48:44.986Z    INFO    Detecting Oracle Linux vulnerabilities...
2022-04-08T14:48:44.986Z    DEBUG   Oracle Linux: os version: 8
2022-04-08T14:48:44.986Z    DEBUG   Oracle Linux: the number of packages: 182
2022-04-08T14:48:44.991Z    INFO    Number of language-specific files: 0

oraclelinux:8 (oracle 8.5)
==========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |      FIXED VERSION       |                 TITLE                 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| gnutls    | CVE-2021-20231   | MEDIUM   | 3.6.16-4.el8      | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in             |
|           |                  |          |                   |                          | client key_share extension            |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20231 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-20232   |          |                   |                          | gnutls: Use after free                |
|           |                  |          |                   |                          | in client_send_params in              |
|           |                  |          |                   |                          | lib/ext/pre_shared_key.c              |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20232 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-3580    |          |                   |                          | nettle: Remote crash                  |
|           |                  |          |                   |                          | in RSA decryption via                 |
|           |                  |          |                   |                          | manipulated ciphertext                |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-3580  |
+-----------+------------------+          +-------------------+--------------------------+---------------------------------------+
| libgcrypt | CVE-2021-33560   |          | 1.8.5-6.el8       | 10:1.8.5-6.el8_fips      | libgcrypt: mishandles ElGamal         |
|           |                  |          |                   |                          | encryption because it lacks           |
|           |                  |          |                   |                          | exponent blinding to address a...     |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+

Output of trivy -v:

$ trivy -v i oraclelinux:8 
Version: 0.24.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-04-08 12:06:46.349271271 +0000 UTC
  NextUpdate: 2022-04-08 18:06:46.349271071 +0000 UTC
  DownloadedAt: 2022-04-08 13:50:49.650469224 +0000 UTC

Additional details (base image name, container registry info...):

tvierling commented 2 years ago

(Disclaimer: I'm in the Oracle Linux support/development group.)

Basically this is similar to issue #736.

Oracle Linux ships with up to three flavors of system packages for different purposes:

The user determines which flavor is installed based on their system requirements, but Oracle issues advisories (ELSAs) and related OpenSCAP (OVAL) data for all three flavors. So scanning all available ELSAs will result in false positives if the ELSA is for a different flavor than the one installed.

Basically, scans should do a heuristic to determine whether to apply an ELSA to the system, with the following logic:

  1. If the ELSA package version string contains _fips, only scan against this ELSA if the installed package(s) include _fips in the version string.
  2. If the ELSA package version string contains .ksplice, only scan against this ELSA if the installed package(s) include .ksplice in the version string.
  3. Otherwise, scan as normal.

Note that these apply to the version string component of the package and not the package name, but inclusion of the leading _ and . in cases 1 and 2 respectively should ensure that this is done correctly.

This logic should be applied to both OL7 and OL8. Whether this should be a rule added to each ELSA scan or at some higher level I don't know, that depends on how Trivy is structured.

If this needs to be at a per-DB-entry level, you can limit the special-case logic to only the packages covered by that special case:

tvierling commented 2 years ago

FWIW please feel free to email me at my work email address (todd.vierling@oracle.com) if any clarification is needed on the above, we're happy to help Trivy developers on any Oracle Linux related issue.

github-actions[bot] commented 2 years ago

This issue is stale because it has been labeled with inactivity.

bpfoster commented 2 years ago

Unstale

sys-ops commented 2 years ago

istaveren, my temporary workaround for this issue is:

FROM oraclelinux:8

RUN set -ex && \
    microdnf update && \
    microdnf install dnf && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/gnutls-3.6.16-4.0.1.el8_fips.x86_64.rpm && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/libgcrypt-1.8.5-7.el8_6_fips.x86_64.rpm && \
    microdnf clean all && \
    rm -rf /tmp/* /var/cache/dnf/* /var/cache/yum/* /var/lib/dnf/* /var/lib/rpm/*
github-actions[bot] commented 2 years ago

This issue is stale because it has been labeled with inactivity.

bpfoster commented 2 years ago

Unstale

github-actions[bot] commented 1 year ago

This issue is stale because it has been labeled with inactivity.

amardeep2006 commented 1 year ago

istaveren, my temporary workaround for this issue is:

FROM oraclelinux:8

RUN set -ex && \
    microdnf update && \
    microdnf install dnf && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/gnutls-3.6.16-4.0.1.el8_fips.x86_64.rpm && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/libgcrypt-1.8.5-7.el8_6_fips.x86_64.rpm && \
    microdnf clean all && \
    rm -rf /tmp/* /var/cache/dnf/* /var/cache/yum/* /var/lib/dnf/* /var/lib/rpm/*

Thanks , this was helpful. It was easy to apply patch than convincing security guys that it is false positive .

SaptarshiSarkar12 commented 2 months ago

In my Open-Source project Drifty, two docker images are published namely drifty-cli and drifty-gui with their base runtime images being [oraclelinux:9-slim](). I use Trivy to check for vulnerabilities and recently, I started using Copa and it could fix only some vulnerable packages except the FIPS ones. Currently, Trivy reports gnutls and nss packages to be vulnerable in oraclelinux:9-slim docker image but docker scout did not report such vulnerability. Is the report false positive? Please let me know. Some reference CVE links provided by Trivy:

SaptarshiSarkar12 commented 2 months ago

@knqyf263 May I know the progress of this issue? This terrible bug is causing problem to manually mark them false positive.