search

arminc / clair-scanner

Docker containers vulnerability scan
Apache License 2.0
849 stars 153 forks source link

False positive reported on postgres:13.1-alpine: CVE-2020-28928 (musl package) #113

Open Snipx opened 3 years ago

Snipx commented 3 years ago

Steps to reproduce:

$  clair-scanner --all  -c "http://127.0.0.1:6060" --ip 172.17.0.1 postgres:13.1-alpine
2021/02/23 17:34:41 [INFO] ▶ Start clair-scanner
2021/02/23 17:34:42 [INFO] ▶ Server listening on port 9279
2021/02/23 17:34:42 [INFO] ▶ Analyzing b086dfe366448ca9e9f25cbec5fa9a6e9a284db32b54644a1ed6ecca7c3872c9
2021/02/23 17:34:42 [INFO] ▶ Analyzing 1677a8ec5fbbc33ddc34e1b29a29030b07b86e4b2338201c94e782f34b112b3a
2021/02/23 17:34:42 [INFO] ▶ Analyzing 67a4aaa1ad6056dbd95518baa5187cfd2531e6320bc382339e47522ac7db89a3
2021/02/23 17:34:42 [INFO] ▶ Analyzing 586620978d681bf25b26c972ac69824dbafe80e65f06564eaa9c37d215276c16
2021/02/23 17:34:42 [INFO] ▶ Analyzing 777b19181bebd418aea2ef37a5fb546e29abb3260c2ae5269e9a040d7da90621
2021/02/23 17:34:42 [INFO] ▶ Analyzing 088b04afa1292ff479a9cde2bb8cc42c421c82c94fdf61fc31a5252f1a37c655
2021/02/23 17:34:42 [INFO] ▶ Analyzing ceeeba1ba24452ce82108e2a3e308567a6ef0eb8622c736eb0e600dc41e60ecf
2021/02/23 17:34:42 [INFO] ▶ Analyzing 257567783eed1d1ee3f47f50bc6b192b8d401b4cbfbd76a34257d08f5b2f2f31
2021/02/23 17:34:43 [WARN] ▶ Image [postgres:13.1-alpine] contains 1 total vulnerabilities
2021/02/23 17:34:43 [ERRO] ▶ Image [postgres:13.1-alpine] contains 1 unapproved vulnerabilities
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+
| STATUS     | CVE SEVERITY       | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION                                               |
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+
| Unapproved | Low CVE-2020-28928 | musl         | 1.2.2-r0        |                                                               |
|            |                    |              |                 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928 |
+------------+--------------------+--------------+-----------------+---------------------------------------------------------------+

As we can see in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928, the issue happens for versions through 1.2.1, even though the detected package version is 1.2.2-r0.

So this is a false positive report from clair which should be fixed I believe.

Thanks a lot in advance.

isuftin commented 3 years ago

Seeing the same with the latest clair-db and clair-scan just scanning the 3.13.2 Alpine image directly out of Dockerhub

temp commented 3 years ago

Same here, but with a weird version mixup:

clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 7 layers
Got results from Clair API v1
Found 1 vulnerabilities
Low: 1
CVE-2020-28928: [Low] 
Found in: musl [1.2.2-r0]
Fixed By: 1.2.2_pre2-r0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928

It says found in 1.2.2-r0, fixed in 1.2.2_pre2-r0, but isn't the latter older than the former?

isuftin commented 3 years ago

Same issue still in Alpine 3.13.4

Low CVE-2020-28928 - musl - 1.2.2-r0

Snipx commented 3 years ago

Dear Clair team, any chance to fix this one? It's really sad to have this false positive :(