search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.85k stars 2.34k forks source link

Go dependencies semver handling failures result in mislabelling CVEs inside compiled images #985

Closed karlmutch closed 3 years ago

karlmutch commented 3 years ago

Description

trivy gets mislead by handling of unrecognized semver strings.

minio (github.com/minio) have used a variety of versioning strategies and the latest confuses the semver detection which leads trivy to believe much older versions of the software than are actually present.

What did you expect to happen?

I expected that proprietary semver formats would revert to using git hashes when they cannot be processed.

What happened instead?

The version handling resulted in selection of a version that appears to be arbitrary.

Output of run with -debug:

trivy --debug --severity HIGH --exit-code -1 leafai/studio-go-runner:$SEMVER
2021-05-07T17:05:18.156-0700    DEBUG   Severities: HIGH
2021-05-07T17:05:18.157-0700    DEBUG   cache dir:  /home/kmutch/.cache/trivy
2021-05-07T17:05:18.157-0700    INFO    Using your github token
2021-05-07T17:05:18.158-0700    DEBUG   DB update was skipped because DB is the latest
2021-05-07T17:05:18.158-0700    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-05-07 12:21:58.448021916 +0000 UTC, NextUpdate: 2021-05-08 00:21:58.448021616 +0000 UTC, DownloadedAt: 0001-01-01 0
0:00:00 +0000 UTC
2021-05-07T17:05:18.158-0700    DEBUG   Vulnerability type:  [os library]
2021-05-07T17:05:18.168-0700    DEBUG   Artifact ID: sha256:007edf71677b4ebbd15d6ff17603cc5130a4c1d24a39e81868712afe0522174a
2021-05-07T17:05:18.168-0700    DEBUG   Blob IDs: [sha256:80580270666742c625aecc56607a806ba343a66a8f5a7fd708e6c4e4c07a3e9b sha256:3fd9df55318470e88a15f423a7d2b532856eb2b481236504bf08669013875de1
 sha256:7a694df0ad6cc5789a937ccd727ac1cda528a1993387bf7cd4f3c375994c54b6 sha256:964ee116c0c06f2be7ceb6566e485b7472872b539d4b9ecea731b67966fb7191 sha256:ef8330bcc94457526bfc5b5bf658cc70f80c4ea82d
6e1d93e28526885efff564 sha256:53194dce14446627b1f9915d27c925d43d52e84660ea0f19a858de28de4b89cb sha256:03aea7c9e3d145201f821a5f386d3f1dc425d91c7c5ef60d94f1f7fd06a848aa sha256:842c2ffdcad9dbc4a7e7
98c01ff537bad796a862745d843d8383b88628c4b91b sha256:87739dfb74526c10b090300e99f03a58eb50e35ab4a4361f80704180b733d469 sha256:a839cf23da839c8e559a09f8ce3f23956986c79e8346513715fb0d4beb4280f5 sha25
6:619707681a68143c27c7c4985d487880a415fc05a8f9b83186666dad7dacd36c sha256:a7f2b84cde28547484e112ebe9f1c19257354904a2b7190e2f8a95b7b5f13f89 sha256:c383cc9dfbe3309b2b05107a9de0bb65e299922cde230b0b
31c1c5b7fe7ebd17 sha256:9a6aad5df4c3d60dd93c93432ea43cc95cabddcdc250d0f59079d7fee4a2944c sha256:913b1b940a9445207cf6239aa1070ab2405f5e9c46791257daa45bb98e62ae8b sha256:d498143166b101eff0efe9c9a5
26b4a306cfc29bab013690fc302903c00b7ff3 sha256:c537f1d9e9aca4eef15860e10bb14614182f0c15bf12d4ad008d55ebf3b19eab sha256:603002a6125c06cde971c844db568752ae86bd2e5ddd47d2feac723ece792d63 sha256:50ce
340d386a8a48008b9ec778cdff89676bfff5598ed94fd0f20c9d6ac943f5 sha256:c53faf521b53a0ae9a57b97e35957de7a30a727a3883b128aa42552e20de5de3 sha256:b7834a228ad3385d738499681214af3f9a902523fc1251840c63a3
76377e8b16 sha256:0e0ef66d5024f14825a2bf5f5aa547a91b1e9470378b84352762682f688d9675 sha256:b8536d58cb2727b0e7df6b673bcba2f686c5f6afbdf66781d24190219c89a5c0 sha256:7b198bda548755bf69734083392211a8
11ef6111d3ff16f6043d28b62355e157 sha256:bbeb599aa7c9756ed1675ebfcf280b19446db8fb46c7abbecf7de71cfc26e8e2]
2021-05-07T17:05:18.189-0700    INFO    Detecting Ubuntu vulnerabilities...
2021-05-07T17:05:18.189-0700    DEBUG   ubuntu: os version: 18.04
2021-05-07T17:05:18.189-0700    DEBUG   ubuntu: the number of packages: 294
2021-05-07T17:05:18.201-0700    INFO    Detecting gobinary vulnerabilities...
2021-05-07T17:05:18.201-0700    DEBUG   Detecting library vulnerabilities, type: gobinary, path: runner/runner-linux-amd64
2021-05-07T17:05:18.202-0700    WARN    constraint error (v0.0.0-20210507214158-ab7d5ee3d98e): improper constraint: <RELEASE.2020-04-23T00-58-49Z
2021-05-07T17:05:18.202-0700    DEBUG   Detecting library vulnerabilities, type: gobinary, path: runner/runner-linux-amd64-cpu
2021-05-07T17:05:18.202-0700    WARN    constraint error (v0.0.0-20210507214158-ab7d5ee3d98e): improper constraint: <RELEASE.2020-04-23T00-58-49Z

leafai/studio-go-runner:0.14.0-main-aaaagqxwidj (ubuntu 18.04)
==============================================================
Total: 0 (HIGH: 0)

runner/runner-linux-amd64
=========================
Total: 1 (HIGH: 1)

+------------------------+------------------+----------+------------------------------------+---------------+-----------------------------------------+
|        LIBRARY         | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          | FIXED VERSION |                  TITLE                  |
+------------------------+------------------+----------+------------------------------------+---------------+-----------------------------------------+
| github.com/minio/minio | CVE-2018-1000538 | HIGH     | v0.0.0-20210507214158-ab7d5ee3d98e | v2018.05.16   | Allocation of File Descriptors or       |
|                        |                  |          |                                    |               | Handles Without Limits or Throttling    |
|                        |                  |          |                                    |               | -->avd.aquasec.com/nvd/cve-2018-1000538 |
+------------------------+------------------+----------+------------------------------------+---------------+-----------------------------------------+

runner/runner-linux-amd64-cpu
=============================
Total: 1 (HIGH: 1)

+------------------------+------------------+----------+------------------------------------+---------------+-----------------------------------------+
|        LIBRARY         | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          | FIXED VERSION |                  TITLE                  |
+------------------------+------------------+----------+------------------------------------+---------------+-----------------------------------------+
| github.com/minio/minio | CVE-2018-1000538 | HIGH     | v0.0.0-20210507214158-ab7d5ee3d98e | v2018.05.16   | Allocation of File Descriptors or       |
|                        |                  |          |                                    |               | Handles Without Limits or Throttling    |
|                        |                  |          |                                    |               | -->avd.aquasec.com/nvd/cve-2018-1000538 |
+------------------------+------------------+----------+------------------------------------+---------------+-----------------------------------------+

Output of trivy -v:

Version: 0.17.2
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-05-07 12:21:58.448021916 +0000 UTC
  NextUpdate: 2021-05-08 00:21:58.448021616 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC```

## Additional details (base image name, container registry info...):

### go.mod

module github.com/leaf-ai/studio-go-runner

go 1.16

require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver v1.5.0 // indirect github.com/Masterminds/sprig v2.22.0+incompatible // indirect github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46 // indirect github.com/awnumar/memguard v0.22.2 github.com/aws/aws-sdk-go v1.38.36 github.com/cenkalti/backoff/v4 v4.1.0 github.com/davecgh/go-spew v1.1.1 github.com/deckarep/golang-set v1.7.1 github.com/dgryski/go-farm v0.0.0-20180109070241-2de33835d102 github.com/docker/docker v20.10.3+incompatible // indirect github.com/dsnet/compress v0.0.1 github.com/dustin/go-humanize v1.0.0 github.com/ekalinin/github-markdown-toc.go v0.0.0-20201214100212-a3e410f71786 // indirect github.com/evanphx/json-patch v4.9.0+incompatible github.com/fsnotify/fsnotify v1.4.9 github.com/go-enry/go-license-detector/v4 v4.2.0 github.com/go-ole/go-ole v1.2.5 // indirect github.com/go-stack/stack v1.8.0 github.com/go-test/deep v1.0.7 github.com/golang/protobuf v1.5.2 github.com/huandu/xstrings v1.3.2 // indirect github.com/imdario/mergo v0.3.11 // indirect github.com/jjeffery/kv v0.8.1 github.com/json-iterator/go v1.1.11 // indirect github.com/karlmutch/base62 v0.0.0-20150408093626-b80cdc656a7a github.com/karlmutch/ccache v2.0.3-0.20180726214243-573f5233780c+incompatible github.com/karlmutch/circbuf v0.0.0-20150827004946-bbbad097214e github.com/karlmutch/duat v0.0.0-20210225015104-bcfa908c74fb github.com/karlmutch/envflag v0.0.0-20160830095501-ae3268980a29 github.com/karlmutch/go-cache v2.0.0+incompatible github.com/karlmutch/go-nvml v0.0.0-20200203202551-277366df5c37 github.com/karlmutch/go-shortid v0.0.0-20160104014424-6c56cef5189c github.com/karlmutch/hashstructure v0.0.0-20170609045927-2bca23e0e452 github.com/karlmutch/k8s v1.2.1-0.20210224003752-d750059a3836 github.com/karlmutch/logxi v0.0.0-20210224194221-fde727bca873 github.com/karlmutch/petname v0.0.0-20190202005206-caff460d43c2 // indirect github.com/karlmutch/vtclean v0.0.0-20170504063817-d14193dfc626 github.com/karlseguin/expect v1.0.7 // indirect github.com/klauspost/cpuid/v2 v2.0.6 // indirect github.com/leaf-ai/go-service v0.0.0-20210504155144-52a20430a47b github.com/lthibault/jitterbug v2.0.0+incompatible github.com/magefile/mage v1.11.0 // indirect github.com/makasim/amqpextra v0.16.4 github.com/mholt/archiver v2.1.0+incompatible github.com/michaelklishin/rabbit-hole/v2 v2.8.0 github.com/minio/minio v0.0.0-20210507214158-ab7d5ee3d98e // indirect github.com/minio/minio-go/v7 v7.0.11-0.20210302210017-6ae69c73ce78 github.com/mitchellh/copystructure v1.1.2 github.com/montanaflynn/stats v0.6.6 // indirect github.com/nwaples/rardecode v0.0.0-20171029023500-e06696f847ae // indirect github.com/onsi/gomega v1.10.5 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/otiai10/copy v1.2.0 github.com/prometheus/client_golang v1.10.0 github.com/prometheus/client_model v0.2.0 github.com/prometheus/common v0.23.0 github.com/prometheus/prom2json v1.3.0 github.com/rs/xid v1.3.0 github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/shirou/gopsutil v3.21.1+incompatible github.com/shirou/gopsutil/v3 v3.21.4 // indirect github.com/streadway/amqp v1.0.1-0.20200716223359-e6b33f460591 github.com/tebeka/atexit v0.3.0 github.com/tinylib/msgp v1.1.5 // indirect github.com/tklauser/go-sysconf v0.3.5 // indirect github.com/valyala/fastjson v1.2.0 github.com/ventu-io/go-shortid v0.0.0-20201117134242-e59966efd125 // indirect go.opentelemetry.io/otel v0.16.0 go.uber.org/atomic v1.7.0 golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 // indirect golang.org/x/net v0.0.0-20210505214959-0714010a04ed // indirect golang.org/x/sys v0.0.0-20210507161434-a76c4d0a0096 // indirect golang.org/x/term v0.0.0-20210422114643-f5beecf764ed // indirect google.golang.org/genproto v0.0.0-20210224155714-063164c882e6 // indirect google.golang.org/grpc v1.36.0 // indirect google.golang.org/protobuf v1.26.0 gopkg.in/yaml.v2 v2.4.0 // indirect )

replace ( golang.org/x/text v0.3.0 => golang.org/x/text v0.3.3 golang.org/x/text v0.3.1 => golang.org/x/text v0.3.3 golang.org/x/text v0.3.2 => golang.org/x/text v0.3.3 )

JorritSalverda commented 3 years ago

Seems to happen for fairly regular semver version numbers:

+------------------+------------------+----------+-------------------+-----------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION     |
+------------------+------------------+----------+-------------------+-----------------------+
| k8s.io/client-go | CVE-2019-11250   | MEDIUM   | v0.21.1           | 1.15.4, 1.16.1-beta.0 |
+------------------+------------------+----------+-------------------+-----------------------+

All go module version numbers are prefixed by v, hope that's not the issue here. Any way to easily disable go module scanning by using an envvar for example?

JorritSalverda commented 3 years ago

Ah, so if the CVE would have had fixed version v1.15.4, v1.16.1-beta.0 it would no longer appear. So I guess Trivy should prefix golang related CVE fix versions with a v if it's missing.

knqyf263 commented 3 years ago

@karlmutch Your go.mod says as below.

github.com/minio/minio v0.0.0-20210507214158-ab7d5ee3d98e // indirect

It means v0.0.0-20210507214158-ab7d5ee3d98e is used indirectly. v0.0.0-20210507214158-ab7d5ee3d98e is obviously older than v2018.05.16. Both versions are valid as semver and our library handles them properly. In other words, this detection looks true.

knqyf263 commented 3 years ago

@JorritSalverda 0.21.1 is obviously older than 1.15.4 and 1.16.1-beta.0. v doesn't affect any impact on vulnerability detection. If you simply want to add v prefix to fixed versions, it is another issue. Please raise a new issue.

knqyf263 commented 3 years ago

@JorritSalverda

Any way to easily disable go module scanning by using an envvar for example?

As I explained, the detection works well. But if you still want to disable go detection, you can use --skip-files or --skip-dirs. They can be passed via environment variables TRIVY_SKIP_FILES and TRIVY_SKIP_DIRS.

JorritSalverda commented 3 years ago

@knqyf263 totally overlooked that the version number is lower. That's pretty unfortunate from go-client's end, since they restarted numbering at some point.

From their https://github.com/kubernetes/client-go:

We recommend using the v0.x.y tags for Kubernetes releases >= v1.17.0 and kubernetes-1.x.y tags for Kubernetes releases < v1.17.0.

I'll raise a ticket on their end to see how this can be resolved, because it will continue to pose a problem going forward.

knqyf263 commented 3 years ago

It looks there are some issues. The vulnerability was fixed in the following commit and Kubernetes v1.16.0 includes it. https://github.com/kubernetes/kubernetes/commit/4441f1d9c3e94d9a3d93b4f184a591cab02a5245

I'm not sure which version of client-go supports v1.16.0. I checked out to the kubernetes-1.16.0 branch and README says We currently recommend using the v12.0.0 tag.. It seems that the fixed version is v12.0.0. https://github.com/kubernetes/client-go/tree/kubernetes-1.16.0

Your installed version v0.21.1 is still lower than v12.0.0, so the vulnerability will be detected anyway due to the versioning of client-go. Also, this advisory looks wrong since it says the fixed version is v1.15.4 and v1.16.1-beta.0, but no such versions exist in client-go. https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/go/k8s.io/client-go/CVE-2019-11250.yml

knqyf263 commented 3 years ago

I also left a comment https://github.com/kubernetes/client-go/issues/969#issuecomment-846641884. Let's wait for their answer.

knqyf263 commented 3 years ago

GitLab updated the fixed version. https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/merge_requests/6803

This issue no longer happens. Please feel free to reopen the issue when you face the same issue again. Thanks.

karlmutch commented 3 years ago

I dont think the original problem is fixed. An issue someone else introduced into the discussion was addressed but the original problem still remains as far as I can tell.

The release that exists on git hub is RELEASE.2018-05-16T23-35-33Z which somehow inside the CVE database is rendered as v2018.05.16, a semver 1 version, not really semver 2. The version of the latest release of minio is the one I think is correctly rendered, v0.0.0-20210507214158-ab7d5ee3d98e which took the time and commit hash instead.

JorritSalverda commented 3 years ago

@karlmutch Sorry for having abused this ticket, I though it had to do with the same thing. I'll open a separate ticket, since my issue hasn't been fully resolved either.

knqyf263 commented 3 years ago

@karlmutch It makes sense. The advisory comes from GitLab Advisory Database. https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/go/github.com/minio/minio/CVE-2018-1000538.yml

The version comparison works properly since v2018.05.16 is greater than v0.0.0-20210507214158-ab7d5ee3d98e, so I think the fixed version should be fixed. Could you raise an issue there?