Open githubcdr opened 2 years ago
What tool are you using to generate this report?
If you send me a list of CVEs, I can check if they impact Kodiak.
Hi @chdsbd, you can use Trivy for this. This will generate a list of CVE's
Running trivy
on the latest release I get:
22-07-04T17:59:10.298-0400 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Python (python-pkg)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 1)
┌────────────────────┬────────────────┬──────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ PyJWT (METADATA) │ CVE-2022-29217 │ HIGH │ 1.7.1 │ 2.4.0 │ python-jwt: Key confusion through non-blocklisted public key │
│ │ │ │ │ │ formats │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29217 │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ httpx (METADATA) │ CVE-2021-41945 │ CRITICAL │ 0.18.1 │ 0.20.0 │ Encode OSS httpx < 0.23.0 is affected by improper input │
│ │ │ │ │ │ validation ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-41945 │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ipython (METADATA) │ CVE-2022-21699 │ HIGH │ 7.27.0 │ 6.0.0rc1, 7.16.3, 7.31.1, 8.0.1 │ IPython (Interactive Python) is a command shell for │
│ │ │ │ │ │ interactive comput ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21699 │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ pip (METADATA) │ CVE-2021-3572 │ MEDIUM │ 19.2.1 │ 21.1 │ python-pip: Incorrect handling of unicode separators in git │
│ │ │ │ │ │ references │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3572 │
└────────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────────────────┘
Of course I'm only looking at the python specific output, if you grab the entire output of that tool you get 15,000 lines of output aka garbage.
I think this tool suffers from a similar problem to npm audit
: https://overreacted.io/npm-audit-broken-by-design/
Digging into the output a bit more, here's the output in a less verbose form where the key is the package name and the value is the number of CVEs associated with it.
{
"apt": 3,
"bash": 1,
"binutils": 61,
"binutils-common": 61,
"binutils-x86-64-linux-gnu": 61,
"bsdutils": 2,
"comerr-dev": 3,
"coreutils": 2,
"cpp-8": 2,
"curl": 23,
"dirmngr": 2,
"dpkg": 1,
"dpkg-dev": 1,
"e2fsprogs": 3,
"fdisk": 2,
"file": 1,
"g++-8": 2,
"gcc-8": 2,
"gcc-8-base": 2,
"gir1.2-rsvg-2.0": 1,
"git": 16,
"git-man": 16,
"gnupg": 2,
"gnupg-l10n": 2,
"gnupg-utils": 2,
"gpg": 2,
"gpg-agent": 2,
"gpg-wks-client": 2,
"gpg-wks-server": 2,
"gpgconf": 2,
"gpgsm": 2,
"gpgv": 2,
"gzip": 1,
"icu-devtools": 2,
"imagemagick": 106,
"imagemagick-6-common": 106,
"imagemagick-6.q16": 106,
"iproute2": 1,
"krb5-multidev": 5,
"libapt-pkg5.0": 3,
"libasan5": 2,
"libatomic1": 2,
"libbinutils": 61,
"libblkid-dev": 2,
"libblkid1": 2,
"libbsd0": 1,
"libc-bin": 22,
"libc-dev-bin": 22,
"libc6": 22,
"libc6-dev": 22,
"libcairo-gobject2": 5,
"libcairo-script-interpreter2": 5,
"libcairo2": 5,
"libcairo2-dev": 5,
"libcc1-0": 2,
"libcom-err2": 3,
"libcroco3": 3,
"libcurl3-gnutls": 23,
"libcurl4": 23,
"libcurl4-openssl-dev": 23,
"libdb5.3": 1,
"libdb5.3-dev": 1,
"libde265-0": 19,
"libdjvulibre-dev": 11,
"libdjvulibre-text": 11,
"libdjvulibre21": 11,
"libdpkg-perl": 1,
"libexif-dev": 10,
"libexif12": 10,
"libexpat1": 18,
"libexpat1-dev": 18,
"libext2fs2": 3,
"libfdisk1": 2,
"libfreetype6": 5,
"libfreetype6-dev": 5,
"libfribidi0": 4,
"libgcc-8-dev": 2,
"libgcc1": 2,
"libgcrypt20": 4,
"libglib2.0-0": 6,
"libglib2.0-bin": 6,
"libglib2.0-data": 6,
"libglib2.0-dev": 6,
"libglib2.0-dev-bin": 6,
"libgmp-dev": 1,
"libgmp10": 1,
"libgmpxx4ldbl": 1,
"libgnutls-dane0": 7,
"libgnutls-openssl27": 7,
"libgnutls28-dev": 7,
"libgnutls30": 7,
"libgnutlsxx28": 7,
"libgomp1": 2,
"libgssapi-krb5-2": 5,
"libgssrpc4": 5,
"libharfbuzz0b": 1,
"libheif1": 3,
"libhogweed4": 2,
"libicu-dev": 2,
"libicu63": 2,
"libidn2-0": 2,
"libidn2-dev": 2,
"libitm1": 2,
"libjbig-dev": 1,
"libjbig0": 1,
"libjpeg-dev": 8,
"libjpeg62-turbo": 8,
"libjpeg62-turbo-dev": 8,
"libk5crypto3": 5,
"libkadm5clnt-mit11": 5,
"libkadm5srv-mit11": 5,
"libkdb5-9": 5,
"libkrb5-3": 5,
"libkrb5-dev": 5,
"libkrb5support0": 5,
"libldap-2.4-2": 22,
"libldap-common": 22,
"liblsan0": 2,
"liblz4-1": 2,
"liblzma-dev": 1,
"liblzma5": 1,
"libmagic-mgc": 1,
"libmagic1": 1,
"libmagickcore-6-arch-config": 106,
"libmagickcore-6-headers": 106,
"libmagickcore-6.q16-6": 106,
"libmagickcore-6.q16-6-extra": 106,
"libmagickcore-6.q16-dev": 106,
"libmagickcore-dev": 106,
"libmagickwand-6-headers": 106,
"libmagickwand-6.q16-6": 106,
"libmagickwand-6.q16-dev": 106,
"libmagickwand-dev": 106,
"libmariadb-dev": 80,
"libmariadb-dev-compat": 80,
"libmariadb3": 80,
"libmount-dev": 2,
"libmount1": 2,
"libmpx2": 2,
"libncurses-dev": 4,
"libncurses5-dev": 4,
"libncurses6": 4,
"libncursesw5-dev": 4,
"libncursesw6": 4,
"libnettle6": 2,
"libnghttp2-14": 3,
"libopenexr-dev": 40,
"libopenexr23": 40,
"libopenjp2-7": 33,
"libopenjp2-7-dev": 33,
"libp11-kit-dev": 3,
"libp11-kit0": 3,
"libpango-1.0-0": 1,
"libpangocairo-1.0-0": 1,
"libpangoft2-1.0-0": 1,
"libpcre16-3": 6,
"libpcre2-8-0": 3,
"libpcre3": 6,
"libpcre3-dev": 6,
"libpcre32-3": 6,
"libpcrecpp0v5": 6,
"libperl5.28": 5,
"libpng-dev": 4,
"libpng16-16": 4,
"libpq-dev": 17,
"libpq5": 17,
"libpython-stdlib": 1,
"libpython2-stdlib": 1,
"libpython2.7-minimal": 16,
"libpython2.7-stdlib": 16,
"libpython3.7-minimal": 22,
"libpython3.7-stdlib": 22,
"libquadmath0": 2,
"librsvg2-2": 1,
"librsvg2-common": 1,
"librsvg2-dev": 1,
"libsasl2-2": 2,
"libsasl2-modules-db": 2,
"libseccomp2": 1,
"libsepol1": 4,
"libsepol1-dev": 4,
"libsmartcols1": 2,
"libsqlite3-0": 18,
"libsqlite3-dev": 18,
"libss2": 3,
"libssh2-1": 2,
"libssl-dev": 18,
"libssl1.1": 18,
"libstdc++-8-dev": 2,
"libstdc++6": 2,
"libsvn1": 5,
"libsystemd0": 10,
"libtasn1-6": 1,
"libtasn1-6-dev": 1,
"libtcl8.6": 1,
"libtiff-dev": 33,
"libtiff5": 33,
"libtiffxx5": 33,
"libtinfo6": 4,
"libtsan0": 2,
"libubsan1": 2,
"libudev1": 10,
"libunbound8": 17,
"libuuid1": 2,
"libwebp-dev": 12,
"libwebp6": 12,
"libwebpdemux2": 12,
"libwebpmux3": 12,
"libwmf-dev": 4,
"libwmf0.2-7": 4,
"libx11-6": 3,
"libx11-data": 3,
"libx11-dev": 3,
"libxml2": 16,
"libxml2-dev": 16,
"libxslt1-dev": 5,
"libxslt1.1": 5,
"libxtables12": 2,
"libzstd1": 2,
"linux-libc-dev": 594,
"login": 4,
"m4": 2,
"mariadb-common": 80,
"mount": 2,
"ncurses-base": 4,
"ncurses-bin": 4,
"nettle-dev": 2,
"openssh-client": 13,
"openssl": 18,
"passwd": 4,
"patch": 7,
"perl": 5,
"perl-base": 5,
"perl-modules-5.28": 5,
"python": 1,
"python-minimal": 1,
"python2": 1,
"python2-minimal": 1,
"python2.7": 16,
"python2.7-minimal": 16,
"python3.7": 22,
"python3.7-minimal": 22,
"subversion": 5,
"supervisor": 1,
"tar": 3,
"tcl8.6": 1,
"tcl8.6-dev": 1,
"unzip": 4,
"util-linux": 2,
"uuid-dev": 2,
"wget": 1,
"xz-utils": 1,
"zlib1g": 1,
"zlib1g-dev": 1,
"PyJWT": 1,
"httpx": 1,
"ipython": 1,
"pip": 1
}
Hi @sbdchd,
I got a different output using this version.
trivy --version
Version: 0.28.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-07-05 06:06:05.656161198 +0000 UTC
NextUpdate: 2022-07-05 12:06:05.656160898 +0000 UTC
DownloadedAt: 2022-07-05 09:51:31.985153999 +0000 UTC
$ trivy i cdignam/kodiak:v0.52.0
cdignam/kodiak:v0.52.0 (debian 10.0)
Total: 4082 (UNKNOWN: 57, LOW: 1283, MEDIUM: 1357, HIGH: 1183, CRITICAL: 202)
Could be a first improvement: https://github.com/chdsbd/kodiak/pull/796
The docker image (cdignam/kodiak:v0.52.0) mentioned in the docs for selfhosting does not have a great reputation when it comes to security.
A trivy scan shows 199 critical issues in the latest release.
It seems that new versions add more critical cve's, (v0.50.0 had 157).
What is going on here?