Closed errcode1202 closed 2 years ago
However we suspect its because Docker scanning is only checking for the presence of compromised jar's and is not able to understand mitigations that involve anything other than removing the offending jar's i.e. Set formatMsgNoLookups to true
Yes, this is correct.
So we wonder, if Docker scan is also using snyk, is it scanning things with additional settings?
Yes, we also scan with our own inhouse code based on open source code here github.com/aquasecurity/fanal/analyzer which checks for packages matching known vulnerable versions.
Reading the atlassian comment here https://jira.atlassian.com/browse/BSERV-13087?focusedCommentId=2938356&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-2938356 seems to suggest that log4j-core was not actually removed as it's bundled as part of ElasticSearch and that's still using a vulnerable versions although mitigated through other means.
Is it possible to upgrade ElasticSearch to a 7.16.2 as listed here? https://www.elastic.co/blog/new-elasticsearch-and-logstash-releases-upgrade-apache-log4j2
Hi @mikeparker,
Thanks for the response on this. Although a fix had been applied to effectively make the vulnrable jar's benign, Snyk obviously cannot recognise this. We've taken things a step further and upgraded the log4j jar's themselves. This has made things go green for the tags 👍🏽 .
Description We (Atlassian) host our official Bitbucket Server Docker image on Docker Hub. As you will note each published tag is flagged with the message
Log4Shell CVE detected
in relation to CVE-2021-44228.This issue was fully investigated and mitigated for Bitbucket through the fixes:
log4j-core
and updatinglog4j-api
formatMsgNoLookups
totrue
These fixes have been applied to Bitbucket versions;
7.14.2
,7.18.3
,7.17.4
,6.10.16
,7.15.3
,7.16.3
,7.19.1
,7.6.12
and likewise their Docker tag equivalents.We are unsure why Docker Hub is reporting these tags as vulnerable? However we suspect its because Docker scanning is only checking for the presence of compromised jar's and is not able to understand mitigations that involve anything other than removing the offending jar's i.e. Set
formatMsgNoLookups
totrue
As part of our dev pipeline we also run
snyk test
andsnyk monitor
against these images and these scans have not identified the Log4Shell vulnerability. So we wonder, if Docker scan is also using snyk, is it scanning things with additional settings?Describe the results you expected: Can this be looked into please. We don't think things are being reported accurately for Bitbucket Server on Docker Hub. Particularly considering running
snyk container test -d atlassian/bitbucket-server:7.20.0
locally does not report the presence of this vulnerability.Additional info We have found running
docker scan
locally for this image(s) (Docker for Macv4.4.2
) results in the errorFailed to get vulns
i.e.