search

chainguard-images / images

Public Chainguard Images
https://chainguard.dev/chainguard-images
Apache License 2.0
547 stars 151 forks source link

Scanning "node:latest" with trivy returns 8 high findings #2191

Closed mwager closed 7 months ago

mwager commented 9 months ago

Which image/versions are related to this issue/feature request?

node:latest

Issue/Feature description

How is that possible? I thought they should have zero, and they had it in the past...

Output:

$ trivy image demo_node
2024-02-08T06:35:26.490+0100    INFO    Vulnerability scanning is enabled
2024-02-08T06:35:26.490+0100    INFO    Secret scanning is enabled
2024-02-08T06:35:26.490+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-08T06:35:26.490+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-08T06:35:26.502+0100    INFO    Detected OS: wolfi
2024-02-08T06:35:26.502+0100    INFO    Detecting Wolfi vulnerabilities...
2024-02-08T06:35:26.504+0100    INFO    Number of language-specific files: 1
2024-02-08T06:35:26.504+0100    INFO    Detecting node-pkg vulnerabilities...

demo_node (wolfi 20230201)

Total: 15 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 8, CRITICAL: 0)

┌────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ glibc              │ CVE-2023-6246 │ HIGH     │ fixed  │ 2.38-r8           │ 2.38-r11      │ glibc: heap-based buffer overflow in __vsyslog_internal() │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6246                 │
│                    ├───────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6779 │          │        │                   │               │ glibc: off-by-one heap-based buffer overflow in           │
│                    │               │          │        │                   │               │ __vsyslog_internal()                                      │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6779                 │
│                    ├───────────────┼──────────┤        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6780 │ MEDIUM   │        │                   │               │ glibc: integer overflow in __vsyslog_internal()           │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6780                 │
├────────────────────┼───────────────┼──────────┤        │                   │               ├───────────────────────────────────────────────────────────┤
│ glibc-locale-posix │ CVE-2023-6246 │ HIGH     │        │                   │               │ glibc: heap-based buffer overflow in __vsyslog_internal() │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6246                 │
│                    ├───────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6779 │          │        │                   │               │ glibc: off-by-one heap-based buffer overflow in           │
│                    │               │          │        │                   │               │ __vsyslog_internal()                                      │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6779                 │
│                    ├───────────────┼──────────┤        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6780 │ MEDIUM   │        │                   │               │ glibc: integer overflow in __vsyslog_internal()           │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6780                 │
├────────────────────┼───────────────┼──────────┤        │                   │               ├───────────────────────────────────────────────────────────┤
│ ld-linux           │ CVE-2023-6246 │ HIGH     │        │                   │               │ glibc: heap-based buffer overflow in __vsyslog_internal() │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6246                 │
│                    ├───────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6779 │          │        │                   │               │ glibc: off-by-one heap-based buffer overflow in           │
│                    │               │          │        │                   │               │ __vsyslog_internal()                                      │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6779                 │
│                    ├───────────────┼──────────┤        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6780 │ MEDIUM   │        │                   │               │ glibc: integer overflow in __vsyslog_internal()           │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6780                 │
├────────────────────┼───────────────┼──────────┤        │                   │               ├───────────────────────────────────────────────────────────┤
│ libcrypt1          │ CVE-2023-6246 │ HIGH     │        │                   │               │ glibc: heap-based buffer overflow in __vsyslog_internal() │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6246                 │
│                    ├───────────────┤          │        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6779 │          │        │                   │               │ glibc: off-by-one heap-based buffer overflow in           │
│                    │               │          │        │                   │               │ __vsyslog_internal()                                      │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6779                 │
│                    ├───────────────┼──────────┤        │                   │               ├───────────────────────────────────────────────────────────┤
│                    │ CVE-2023-6780 │ MEDIUM   │        │                   │               │ glibc: integer overflow in __vsyslog_internal()           │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6780                 │
├────────────────────┼───────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3         │ CVE-2024-0727 │          │        │ 3.2.0-r1          │ 3.2.1-r0      │ openssl: denial of service via null dereference           │
│                    │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                 │
├────────────────────┤               │          │        │                   │               │                                                           │
│ libssl3            │               │          │        │                   │               │                                                           │
│                    │               │          │        │                   │               │                                                           │
├────────────────────┤               │          │        │                   │               │                                                           │
│ openssl-config     │               │          │        │                   │               │                                                           │
│                    │               │          │        │                   │               │                                                           │
└────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Dockerfile:

FROM cgr.dev/chainguard/node:latest
ENV NODE_ENV=production

WORKDIR /app

COPY --chown=node:node ["package.json", "package-lock.json", "server.js", "./"]

RUN npm install --omit-dev

CMD [ "server.js" ]
tuananh commented 8 months ago

@mwager you most likely have a stale base image.

do a docker pull cgr.dev/chainguard/node before building dockerfile and try again

this is the result for me

trivy image cgr.dev/chainguard/node
2024-03-29T06:56:30.544+0700    INFO    Need to update DB
2024-03-29T06:56:30.544+0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-03-29T06:56:30.544+0700    INFO    Downloading DB...
44.68 MiB / 44.68 MiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% 19.26 MiB p/s 2.5s
2024-03-29T06:56:34.897+0700    INFO    Vulnerability scanning is enabled
2024-03-29T06:56:34.897+0700    INFO    Secret scanning is enabled
2024-03-29T06:56:34.897+0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-29T06:56:34.897+0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-29T06:56:41.649+0700    INFO    Detected OS: wolfi
2024-03-29T06:56:41.649+0700    INFO    Detecting Wolfi vulnerabilities...
2024-03-29T06:56:41.651+0700    INFO    Number of language-specific files: 0

cgr.dev/chainguard/node (wolfi 20230201)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
mwager commented 7 months ago

You are right, got same result now. Thank you!