search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.13k stars 2.28k forks source link

Mariner distroless 2.0 detecting false positives for telegraf #4542

Closed jatakiajanvi12 closed 1 year ago

jatakiajanvi12 commented 1 year ago

Discussed in https://github.com/aquasecurity/trivy/discussions/4412

Originally posted by **jatakiajanvi12** May 16, 2023 ### IDs CVE-2023-28840, CVE-2023-27561, CVE-2023-28642 ### Description with Mariner base: Dockerfile: FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 RUN tdnf install -y telegraf Trivy run: [ /tmp/telegraf ]$ sudo trivy image --ignore-unfixed telegrafjanvi:latest 2023-05-10T13:50:03.144-0400 INFO Vulnerability scanning is enabled 2023-05-10T13:50:03.144-0400 INFO Secret scanning is enabled 2023-05-10T13:50:03.144-0400 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2023-05-10T13:50:03.144-0400 INFO Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection 2023-05-10T13:50:07.957-0400 INFO Detected OS: cbl-mariner 2023-05-10T13:50:07.957-0400 INFO Detecting CBL-Mariner vulnerabilities... 2023-05-10T13:50:07.979-0400 INFO Number of language-specific files: 0 telegrafjanvi:latest (cbl-mariner 2.0.20230426) Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) With Mariner distroless: Dockerfile: FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 as builder RUN tdnf install -y telegraf FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0 AS distroless_image COPY --from=builder /usr/bin/telegraf /usr/bin/telegraf Trivy run: trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 test:new1 2023-05-10T15:05:37.587-0700 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages. 2023-05-10T15:05:37.587-0700 WARN e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm" 2023-05-10T15:05:37.587-0700 INFO Detected OS: cbl-mariner 2023-05-10T15:05:37.587-0700 INFO Detecting CBL-Mariner vulnerabilities... 2023-05-10T15:05:37.587-0700 INFO Number of language-specific files: 1 2023-05-10T15:05:37.587-0700 INFO Detecting gobinary vulnerabilities... test:new1 (cbl-mariner 2.0.20230426) Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0) usr/bin/telegraf (gobinary) Total: 7 (MEDIUM: 4, HIGH: 3, CRITICAL: 0) ┌──────────────────────────────────┬────────────────┬──────────┬──────────────────────────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/docker/docker │ CVE-2023-28840 │ HIGH │ v23.0.0+incompatible │ 20.10.24, 23.0.3 │ Encrypted overlay network may be unauthenticated │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28840 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28841 │ MEDIUM │ │ │ Encrypted overlay network traffic may be unencrypted │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28841 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/docker/docker │ CVE-2023-28842 │ MEDIUM │ v23.0.0+incompatible │ 20.10.24, 23.0.3 │ Encrypted overlay network with a single endpoint is │ │ │ │ │ │ │ unauthenticated │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28842 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH │ v1.1.4 │ v1.1.5 │ runc: volume mount race condition (regression of │ │ │ │ │ │ │ CVE-2019-19921) │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28642 │ │ │ │ AppArmor can be bypassed when `/proc` inside the container │ │ │ │ │ │ │ is symlinked with... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28642 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2023-25809 │ MEDIUM │ v1.1.4 │ v1.1.5 │ Rootless runc makes `/sys/fs/cgroup` writable │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25809 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/prometheus/prometheus │ CVE-2019-3826 │ MEDIUM │ v1.8.2-0.20210430082741-2a4b8e12bbf2 │ v2.7.1 │ prometheus: Stored DOM cross-site scripting (XSS) attack via │ │ │ │ │ │ │ crafted URL │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3826 Mariner doesnt use these packages while building but trivy is showing these vulnerabilities. ### Reproduction Steps ```bash 1.Dockerfile: FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 as builder RUN tdnf install -y telegraf FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0 AS distroless_image COPY --from=builder /usr/bin/telegraf /usr/bin/telegraf 2.trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 test:new1 ``` ### Target Container Image ### Scanner Vulnerability ### Target OS Mariner 2.0 distroless ### Debug Output ```bash trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 test:new1 2023-05-10T15:05:37.587-0700 WARN No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages. 2023-05-10T15:05:37.587-0700 WARN e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm" 2023-05-10T15:05:37.587-0700 INFO Detected OS: cbl-mariner 2023-05-10T15:05:37.587-0700 INFO Detecting CBL-Mariner vulnerabilities... 2023-05-10T15:05:37.587-0700 INFO Number of language-specific files: 1 2023-05-10T15:05:37.587-0700 INFO Detecting gobinary vulnerabilities... test:new1 (cbl-mariner 2.0.20230426) Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0) usr/bin/telegraf (gobinary) Total: 7 (MEDIUM: 4, HIGH: 3, CRITICAL: 0) ┌──────────────────────────────────┬────────────────┬──────────┬──────────────────────────────────────┬──────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/docker/docker │ CVE-2023-28840 │ HIGH │ v23.0.0+incompatible │ 20.10.24, 23.0.3 │ Encrypted overlay network may be unauthenticated │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28840 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28841 │ MEDIUM │ │ │ Encrypted overlay network traffic may be unencrypted │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28841 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/docker/docker │ CVE-2023-28842 │ MEDIUM │ v23.0.0+incompatible │ 20.10.24, 23.0.3 │ Encrypted overlay network with a single endpoint is │ │ │ │ │ │ │ unauthenticated │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28842 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH │ v1.1.4 │ v1.1.5 │ runc: volume mount race condition (regression of │ │ │ │ │ │ │ CVE-2019-19921) │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28642 │ │ │ │ AppArmor can be bypassed when `/proc` inside the container │ │ │ │ │ │ │ is symlinked with... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28642 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2023-25809 │ MEDIUM │ v1.1.4 │ v1.1.5 │ Rootless runc makes `/sys/fs/cgroup` writable │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25809 │ ├──────────────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼──────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/prometheus/prometheus │ CVE-2019-3826 │ MEDIUM │ v1.8.2-0.20210430082741-2a4b8e12bbf2 │ v2.7.1 │ prometheus: Stored DOM cross-site scripting (XSS) attack via │ │ │ │ │ │ │ crafted URL │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3826 │ ``` ### Version ```bash trivy --version Version: 0.28.1 Vulnerability DB: Version: 2 UpdatedAt: 2023-05-16 06:07:09.707535784 +0000 UTC NextUpdate: 2023-05-16 12:07:09.707535384 +0000 UTC DownloadedAt: 2023-05-16 10:40:20.2825066 +0000 UTC ``` ### Checklist - [X] Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection) - [ ] Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
knqyf263 commented 1 year ago

Please don't open an issue. Maintainers do that.