search

kubernetes / git-sync

A sidecar app which clones a git repo and keeps it in sync with the upstream.
Apache License 2.0
2.22k stars 411 forks source link

Make sure vuln scanning works after image size reduction #779

Closed thockin closed 1 year ago

thockin commented 1 year ago 
$ trivy image --ignore-unfixed gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc3
2023-07-25T09:16:50.603-0700    INFO    Need to update DB
2023-07-25T09:16:50.603-0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-07-25T09:16:50.603-0700    INFO    Downloading DB...
38.57 MiB / 38.57 MiB [----------------------------------------------------------------------------------------------------------------------] 100.00% 20.61 MiB p/s 2.1s
2023-07-25T09:16:53.360-0700    INFO    Vulnerability scanning is enabled
2023-07-25T09:16:53.360-0700    INFO    Secret scanning is enabled
2023-07-25T09:16:53.360-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-25T09:16:53.360-0700    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-07-25T09:16:57.527-0700    WARN    Parse error {"file": "var/lib/dpkg/status.d/base-files.md5sums", "error": "malformed MIME header: missing colon: \"ea85a9fb8526e81b3ffe5dcdf209112e  usr/lib/os-release\""}
2023-07-25T09:16:57.528-0700    WARN    Parse error {"file": "var/lib/dpkg/status.d/libc6.md5sums", "error": "malformed MIME header: missing colon: \"ea5e870dc67319c18e6e0a4d0453cebf  lib/x86_64-linux-gnu/ld-2.31.so\""}
2023-07-25T09:16:57.529-0700    WARN    Parse error {"file": "var/lib/dpkg/status.d/libssl1.1.md5sums", "error": "malformed MIME header: missing colon: \"a5b015bb8bf323ec262bafcb1e04cb84  usr/lib/x86_64-linux-gnu/engines-1.1/afalg.so\""}
2023-07-25T09:16:57.529-0700    WARN    Parse error {"file": "var/lib/dpkg/status.d/netbase.md5sums", "error": "malformed MIME header: missing colon: \"c899d832ee9a6de833fa22a41d55ce36  usr/share/doc/netbase/changelog.gz\""}
2023-07-25T09:16:57.530-0700    WARN    Parse error {"file": "var/lib/dpkg/status.d/openssl.md5sums", "error": "malformed MIME header: missing colon: \"9aad94d235c505bcdfc7b583c2ea8f59  usr/bin/c_rehash\""}
2023-07-25T09:16:57.547-0700    INFO    Detected OS: debian
2023-07-25T09:16:57.547-0700    INFO    Detecting Debian vulnerabilities...
2023-07-25T09:16:57.558-0700    INFO    Number of language-specific files: 1
2023-07-25T09:16:57.558-0700    INFO    Detecting gobinary vulnerabilities...

gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc3 (debian 11.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
thockin commented 1 year ago

Example:

Trivy does not flag libcurl3-gnutls, but it should, I think:

$ docker run -ti --entrypoint "" gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1 cat /var/lib/dpkg/status.d/libcurl3-gnutls | head
Unable to find image 'gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1' locally
v4.0.0-rc1: Pulling from k8s-staging-git-sync/git-sync
Digest: sha256:7403b7e796f36d75aeb7754eedb1a68863d35aa6a6bde2b8ac2d805111d1c715
Status: Downloaded newer image for gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1
Package: libcurl3-gnutls
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 736
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Architecture: amd64
Multi-Arch: same
Source: curl
Version: 7.74.0-1.3+deb11u7

$ trivy image --ignore-unfixed gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1
2023-07-25T10:07:55.486-0700    INFO    Vulnerability scanning is enabled
2023-07-25T10:07:55.486-0700    INFO    Secret scanning is enabled
2023-07-25T10:07:55.486-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-25T10:07:55.486-0700    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-07-25T10:07:55.494-0700    INFO    Detected OS: debian
2023-07-25T10:07:55.494-0700    INFO    Detecting Debian vulnerabilities...
2023-07-25T10:07:55.503-0700    INFO    Number of language-specific files: 1
2023-07-25T10:07:55.503-0700    INFO    Detecting gobinary vulnerabilities...

gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1 (debian 11.7)
=============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

I need to find an example that is known vulnerable in rc3 to test the latest latest build scripts.