.NET SDK images have (false positive) .NET CVEs

[richlander]

This should never happen. The scanners are reporting false positives (in part) due to stale dependencies.

This has been reported multiple times. I'm starting a new tracking issue. There are lots of scanners. I'm using Docker Scout because it is easy for me to use. Nice product!

.NET SDK 8.0.203 image:

There are a mixture of .NET SDK, PowerShell (due to .NET dependencies), and Debian CVEs.

.NET SDK 8.0.300-preview.24201.7 (from https://github.com/dotnet/installer?tab=readme-ov-file#table):

A number of the (false positive) .NET CVEs are resolved in 8.0.300, which should be released in May.

Outstanding issues:

• CVE-2023-29331
  • System.Security.Cryptography.Pkcs 7.0.0
  • /usr/share/dotnet/sdk/8.0.300-preview.24201.7/DotnetTools/dotnet-watch/8.0.300-preview.24201.10/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json
• CVE-2024-0057
  • NuGet.Packaging 6.7.0.127
  • /usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/dependencies/NuGet.Packaging.dll
  • /usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/_manifest/spdx_2.2/manifest.spdx.json
• CVE-2024-0056
  • System.Data.SqlClient 4.8.5
  • /usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json

The remaining Debian issues are low severity and have a mix of fix available and not at the time of writing:

• CVE-2022-0563
• CVE-2024-28085

The CVE with a fix available should be resolved the next time we rebuild our Debian images.

[lbussell]

Related: https://github.com/dotnet/sdk/issues/30659

[mrhussaini]

Any tentative date when these images will be available to download that has no vulnerabilities?

[richlander]

The May images should have a marked improvement.

[mrhussaini]

Sorry not sure If I understand. IF you do not know the tentative date, can you able to confirm this is will be available to download in beginning or mid or end of the May month?

[richlander]

I know the date. It's always patch Tuesday. We just scanned the May images. It appears that we're down to just one false positive that we'll need to fix in the following month.

Here is the latest fix: https://github.com/dotnet/roslyn/pull/73283.

[MichaelSimons]

The 8.0.205 release which will be released on patch Tuesday is down to two false positives. 8.0.300 will which will co-release with VS 17.10 will be down to one.

[mrhussaini]

Tuesday - 05/07 ? Which of the vulnerabilities, false positives that will be remediated in following month (June)?

[MichaelSimons]

Tuesday - 05/07 ?

Patch Tuesday is always the second Tuesday of the month. For May, it is the 14th.

Which of the vulnerabilities, false positives that will be remediated in following month (June)?

The last vulnerability that is fixed by https://github.com/dotnet/roslyn/pull/73283 is:

   0C     1H     0M     0L  System.Security.Cryptography.Pkcs 7.0.0
pkg:nuget/System.Security.Cryptography.Pkcs@7.0.0

    x HIGH CVE-2023-29331
https://scout.docker.com/v/CVE-2023-29331
      Affected range : >=7.0.0
                     : <=7.0.1
      Fixed version  : 7.0.2
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

[mrhussaini]

Thanks for the clarification. One last question please (I hope) So, all the vulnerabilities are remediated and will be available for us to download by 05/14th ?

[MichaelSimons]

So, all the vulnerabilities are remediated and will be available for us to download by 05/14th ?

No. See my earlier response at https://github.com/dotnet/dotnet-docker/issues/5325#issuecomment-2088716725

[mrhussaini]

What I understand is with this statement "8.0.300 will which will co-release with VS 17.10 will be down to one."

There will be one false positive vulnerability in 8.0.300 release. Correct? Which will be addressed in June?

[MichaelSimons]

There will be one false positive vulnerability in 8.0.300 release. Correct?

Yes

Which will be addressed in June?

That is what we are working towards.

[mrhussaini]

Thanks a lot. Once last question please. Which false positive vulnerability that will be remediated in June? CVE name?

[MichaelSimons]

Thanks a lot. Once last question please. Which false positive vulnerability that will be remediated in June? CVE name?

Please see my earlier response.

[mrhussaini]

look like this one : CVE-2023-29331

[richlander]

That is the one Michael mentioned: https://github.com/dotnet/dotnet-docker/issues/5325#issuecomment-2088727576

[MichaelSimons]

The last of the CVEs was addressed and both 6.0 and 8.0 images are currently clean of false positives (.NET CVEs).

[richlander]

New report at https://github.com/dotnet/dotnet-docker/discussions/5753. We are looking into this.

My analysis suggests that this is another false positive. These are difficult for us to prevent with our current infrastructure. We're looking at improving the infrastructure so that we have a more systematic way of preventing false positives (by ensuring all PackageRefs in our graph are updated).

[itaysk]

Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis for your packages (or libraries or images) so that those vulnerabilities will be automatically suppressed for end users. You can see more info here: https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents https://github.com/aquasecurity/vexhub