Closed thockin closed 1 year ago
Example:
Trivy does not flag libcurl3-gnutls, but it should, I think:
$ docker run -ti --entrypoint "" gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1 cat /var/lib/dpkg/status.d/libcurl3-gnutls | head
Unable to find image 'gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1' locally
v4.0.0-rc1: Pulling from k8s-staging-git-sync/git-sync
Digest: sha256:7403b7e796f36d75aeb7754eedb1a68863d35aa6a6bde2b8ac2d805111d1c715
Status: Downloaded newer image for gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1
Package: libcurl3-gnutls
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 736
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Architecture: amd64
Multi-Arch: same
Source: curl
Version: 7.74.0-1.3+deb11u7
$ trivy image --ignore-unfixed gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1
2023-07-25T10:07:55.486-0700 INFO Vulnerability scanning is enabled
2023-07-25T10:07:55.486-0700 INFO Secret scanning is enabled
2023-07-25T10:07:55.486-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-25T10:07:55.486-0700 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-07-25T10:07:55.494-0700 INFO Detected OS: debian
2023-07-25T10:07:55.494-0700 INFO Detecting Debian vulnerabilities...
2023-07-25T10:07:55.503-0700 INFO Number of language-specific files: 1
2023-07-25T10:07:55.503-0700 INFO Detecting gobinary vulnerabilities...
gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1 (debian 11.7)
=============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
I need to find an example that is known vulnerable in rc3 to test the latest latest build scripts.