Open linzhengen opened 3 years ago
https://github.com/aquasecurity/trivy
$ trivy image python:3.4-alpine 2021-06-16T16:21:39.583+0900 INFO Need to update DB 2021-06-16T16:21:39.584+0900 INFO Downloading DB... 22.09 MiB / 22.09 MiB [------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.16 MiB p/s 19s 2021-06-16T16:22:24.093+0900 INFO Detected OS: alpine 2021-06-16T16:22:24.093+0900 INFO Detecting Alpine vulnerabilities... 2021-06-16T16:22:24.097+0900 INFO Number of PL dependency files: 0 2021-06-16T16:22:24.097+0900 WARN This OS version is no longer supported by the distribution: alpine 3.9.2 2021-06-16T16:22:24.097+0900 WARN The vulnerability detection may be insufficient because security updates are not provided python:3.4-alpine (alpine 3.9.2) ================================ Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4) +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | expat | CVE-2018-20843 | HIGH | 2.2.6-r0 | 2.2.7-r0 | expat: large number of | | | | | | | colons in input makes parser | | | | | | | consume high amount... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-20843 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2019-15903 | | | 2.2.7-r1 | expat: heap-based buffer | | | | | | | over-read via crafted XML input | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15903 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libbz2 | CVE-2019-12900 | CRITICAL | 1.0.6-r6 | 1.0.6-r7 | bzip2: out-of-bounds write | | | | | | | in function BZ2_decompress | | | | | | | -->avd.aquasec.com/nvd/cve-2019-12900 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcrypto1.1 | CVE-2019-1543 | HIGH | 1.1.1a-r1 | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 | | | | | | | with long nonces | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1543 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation | | | | | | | fault in SSL_check_chain | | | | | | | causes denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23840 | | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak | | | | | | | encryption vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 | + +------------------+ + + +---------------------------------------+ | | CVE-2019-1549 | | | | openssl: information | | | | | | | disclosure in fork() | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ | | | | | | | modular exponentiation on x86_64 | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME | | | | | | | NULL pointer de-reference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23841 | | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information | | | | | | | disclosure in PKCS7_dataDecode | | | | | | | and CMS_decrypt_set1_pkey | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+ +---------------+---------------------------------------+ | libssl1.1 | CVE-2019-1543 | HIGH | | 1.1.1b-r1 | openssl: ChaCha20-Poly1305 | | | | | | | with long nonces | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1543 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2020-1967 | | | 1.1.1g-r0 | openssl: Segmentation | | | | | | | fault in SSL_check_chain | | | | | | | causes denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23840 | | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2019-1547 | MEDIUM | | 1.1.1d-r0 | openssl: side-channel weak | | | | | | | encryption vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1547 | + +------------------+ + + +---------------------------------------+ | | CVE-2019-1549 | | | | openssl: information | | | | | | | disclosure in fork() | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1549 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2019-1551 | | | 1.1.1d-r2 | openssl: Integer overflow in RSAZ | | | | | | | modular exponentiation on x86_64 | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1551 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2020-1971 | | | 1.1.1i-r0 | openssl: EDIPARTYNAME | | | | | | | NULL pointer de-reference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23841 | | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2019-1563 | LOW | | 1.1.1d-r0 | openssl: information | | | | | | | disclosure in PKCS7_dataDecode | | | | | | | and CMS_decrypt_set1_pkey | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1563 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23839 | | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | musl | CVE-2019-14697 | CRITICAL | 1.1.20-r4 | 1.1.20-r5 | musl libc through 1.1.23 has | | | | | | | an x87 floating-point stack | | | | | | | adjustment imbalance, related... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-14697 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-28928 | MEDIUM | | 1.1.20-r6 | In musl libc through 1.2.1, | | | | | | | wcsnrtombs mishandles particular | | | | | | | combinations of destination buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 | +--------------+------------------+----------+ +---------------+---------------------------------------+ | musl-utils | CVE-2019-14697 | CRITICAL | | 1.1.20-r5 | musl libc through 1.1.23 has | | | | | | | an x87 floating-point stack | | | | | | | adjustment imbalance, related... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-14697 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-28928 | MEDIUM | | 1.1.20-r6 | In musl libc through 1.2.1, | | | | | | | wcsnrtombs mishandles particular | | | | | | | combinations of destination buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | sqlite-libs | CVE-2019-8457 | CRITICAL | 3.26.0-r3 | 3.28.0-r0 | sqlite: heap out-of-bound | | | | | | | read in function rtreenode() | | | | | | | -->avd.aquasec.com/nvd/cve-2019-8457 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2019-19244 | HIGH | | 3.28.0-r2 | sqlite: allows a crash | | | | | | | if a sub-select uses both | | | | | | | DISTINCT and window... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19244 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2019-5018 | | | 3.28.0-r0 | sqlite: Use-after-free in | | | | | | | window function leading | | | | | | | to remote code execution | | | | | | | -->avd.aquasec.com/nvd/cve-2019-5018 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2020-11655 | | | 3.28.0-r3 | sqlite: malformed window-function | | | | | | | query leads to DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2020-11655 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2019-16168 | MEDIUM | | 3.28.0-r1 | sqlite: Division by zero in | | | | | | | whereLoopAddBtreeIndex in sqlite3.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-16168 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2019-19242 | | | 3.28.0-r2 | sqlite: SQL injection in | | | | | | | sqlite3ExprCodeTarget in expr.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19242 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+
GitHub
https://github.com/aquasecurity/trivy
初体験