search

cert-manager / istio-csr

istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager.
https://cert-manager.io/docs/usage/istio-csr/
Apache License 2.0
161 stars 71 forks source link

False positive warnings from trivy and dependabot #223

Open wallrj opened 11 months ago

wallrj commented 11 months ago

This project imports the go module istio.io/istio which uses unadorned semver tags rather than the go standard v prefixed release tags. The consequence is that go mod tidy always replaced the go.mod entry with a pseudo version and this version is then misinterpreted by trivy and by dependabot:

In https://github.com/cert-manager/istio-csr/pull/222 I upgrading istio.io/istio to the latest version and still trivy reports the same false positive vulnerabilities:

$ trivy repo .
2023-12-05T15:42:33.816Z        INFO    Vulnerability scanning is enabled
2023-12-05T15:42:33.816Z        INFO    Secret scanning is enabled
2023-12-05T15:42:33.816Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-05T15:42:33.817Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-12-05T15:42:38.475Z        INFO    Number of language-specific files: 2
2023-12-05T15:42:38.475Z        INFO    Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 4, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │         Installed Version         │      Fixed Version      │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼───────────────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ istio.io/istio │ CVE-2019-14993 │ HIGH     │ fixed  │ 0.0.0-20231205100254-0ebec17e00ab │ 1.1.13, 1.2.4           │ istio/envoy: mishandling regular expressions for long URIs   │
│                │                │          │        │                                   │                         │ leading to DoS                                               │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2019-14993                   │
│                ├────────────────┤          │        │                                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-39155 │          │        │                                   │ 1.9.8, 1.10.4, 1.11.1   │ HTTP request can bypass authorization mechanisms due to case │
│                │                │          │        │                                   │                         │ insensitive host comparison...                               │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2021-39155                   │
│                ├────────────────┤          │        │                                   │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-39156 │          │        │                                   │                         │ HTTP request with fragment in URI can bypass authorization   │
│                │                │          │        │                                   │                         │ mechanisms                                                   │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2021-39156                   │
│                ├────────────────┤          │        │                                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23635 │          │        │                                   │ 1.13.1, 1.12.4, 1.11.7  │ unauthenticated control plane denial of service attack       │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2022-23635                   │
│                ├────────────────┼──────────┤        │                                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-31045 │ MEDIUM   │        │                                   │ 1.12.18, 1.13.5, 1.14.1 │ Unsafe memory access in metadata exchange.                   │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2022-31045                   │
└────────────────┴────────────────┴──────────┴────────┴───────────────────────────────────┴─────────────────────────┴──────────────────────────────────────────────────────────────┘
marcingy commented 7 months ago

This also affects the scan tool we are using (orca) in the same way

tomelliot16 commented 7 months ago

I believe unless I'm mistaken that this is because istio doesn't tag with v prefix https://github.com/istio/istio/release I believe an issue should be made with istio/istio to change the versioning to include the prefix v.