I ran Trivy to scan the ghcr.io/interlynk-io/sbomqs:v0.1.7 image and found multiple vulnerabilities. Below are the details of the scan:
$ trivy image ghcr.io/interlynk-io/sbomqs:v0.1.7
2024-07-22T22:14:55+05:30 INFO Vulnerability scanning is enabled
2024-07-22T22:14:55+05:30 INFO Secret scanning is enabled
2024-07-22T22:14:55+05:30 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-22T22:14:55+05:30 INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-22T22:15:00+05:30 INFO Number of language-specific files num=1
2024-07-22T22:15:00+05:30 INFO [gobinary] Detecting vulnerabilities...
2024-07-22T22:15:00+05:30 WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.53/docs/scanner/vulnerability#severity-selection for details.
app/sbomqs (gobinary)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.22.2 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24788 │ HIGH │ │ │ 1.22.3 │ golang: net: malformed DNS message can cause infinite loop │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24788 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ MEDIUM │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘
Repository scanning
Whereas on repository scanning didn't found as such vulnerabilities.
$ trivy repository https://github.com/interlynk-io/sbomqs
2024-07-22T22:21:27+05:30 INFO Vulnerability scanning is enabled
2024-07-22T22:21:27+05:30 INFO Secret scanning is enabled
2024-07-22T22:21:27+05:30 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-22T22:21:27+05:30 INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
Enumerating objects: 743, done.
Counting objects: 100% (743/743), done.
Compressing objects: 100% (442/442), done.
Total 743 (delta 489), reused 480 (delta 283), pack-reused 0
2024-07-22T22:21:30+05:30 INFO Number of language-specific files num=1
2024-07-22T22:21:30+05:30 INFO [gomod] Detecting vulnerabilities...
Description
Image scanning
I ran Trivy to scan the
ghcr.io/interlynk-io/sbomqs:v0.1.7image and found multiple vulnerabilities. Below are the details of the scan:Repository scanning
Whereas on repository scanning didn't found as such vulnerabilities.
Solution
We should patch up this vulnerabilities.