search

linzhengen / tech-notes

My tech notes write in github issues🧲
1 stars 0 forks source link

[20210616] Trivy面白そう! #112

Open linzhengen opened 3 years ago

linzhengen commented 3 years ago

GitHub

https://github.com/aquasecurity/trivy

初体験

$ trivy image python:3.4-alpine
2021-06-16T16:21:39.583+0900    INFO    Need to update DB
2021-06-16T16:21:39.584+0900    INFO    Downloading DB...
22.09 MiB / 22.09 MiB [------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.16 MiB p/s 19s
2021-06-16T16:22:24.093+0900    INFO    Detected OS: alpine
2021-06-16T16:22:24.093+0900    INFO    Detecting Alpine vulnerabilities...
2021-06-16T16:22:24.097+0900    INFO    Number of PL dependency files: 0
2021-06-16T16:22:24.097+0900    WARN    This OS version is no longer supported by the distribution: alpine 3.9.2
2021-06-16T16:22:24.097+0900    WARN    The vulnerability detection may be insufficient because security updates are not provided

python:3.4-alpine (alpine 3.9.2)
================================
Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| expat        | CVE-2018-20843   | HIGH     | 2.2.6-r0          | 2.2.7-r0      | expat: large number of                |
|              |                  |          |                   |               | colons in input makes parser          |
|              |                  |          |                   |               | consume high amount...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20843 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2019-15903   |          |                   | 2.2.7-r1      | expat: heap-based buffer              |
|              |                  |          |                   |               | over-read via crafted XML input       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-15903 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libbz2       | CVE-2019-12900   | CRITICAL | 1.0.6-r6          | 1.0.6-r7      | bzip2: out-of-bounds write            |
|              |                  |          |                   |               | in function BZ2_decompress            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-12900 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2019-1543    | HIGH     | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305            |
|              |                  |          |                   |               | with long nonces                      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1543  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2020-1967    |          |                   | 1.1.1g-r0     | openssl: Segmentation                 |
|              |                  |          |                   |               | fault in SSL_check_chain              |
|              |                  |          |                   |               | causes denial of service              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak            |
|              |                  |          |                   |               | encryption vulnerability              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547  |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2019-1549    |          |                   |               | openssl: information                  |
|              |                  |          |                   |               | disclosure in fork()                  |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ     |
|              |                  |          |                   |               | modular exponentiation on x86_64      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
|              |                  |          |                   |               | NULL pointer de-reference             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in signature_algorithms processing    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                  |
|              |                  |          |                   |               | disclosure in PKCS7_dataDecode        |
|              |                  |          |                   |               | and CMS_decrypt_set1_pkey             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+                   +---------------+---------------------------------------+
| libssl1.1    | CVE-2019-1543    | HIGH     |                   | 1.1.1b-r1     | openssl: ChaCha20-Poly1305            |
|              |                  |          |                   |               | with long nonces                      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1543  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2020-1967    |          |                   | 1.1.1g-r0     | openssl: Segmentation                 |
|              |                  |          |                   |               | fault in SSL_check_chain              |
|              |                  |          |                   |               | causes denial of service              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak            |
|              |                  |          |                   |               | encryption vulnerability              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547  |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2019-1549    |          |                   |               | openssl: information                  |
|              |                  |          |                   |               | disclosure in fork()                  |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ     |
|              |                  |          |                   |               | modular exponentiation on x86_64      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
|              |                  |          |                   |               | NULL pointer de-reference             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in signature_algorithms processing    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                  |
|              |                  |          |                   |               | disclosure in PKCS7_dataDecode        |
|              |                  |          |                   |               | and CMS_decrypt_set1_pkey             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| musl         | CVE-2019-14697   | CRITICAL | 1.1.20-r4         | 1.1.20-r5     | musl libc through 1.1.23 has          |
|              |                  |          |                   |               | an x87 floating-point stack           |
|              |                  |          |                   |               | adjustment imbalance, related...      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-14697 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2020-28928   | MEDIUM   |                   | 1.1.20-r6     | In musl libc through 1.2.1,           |
|              |                  |          |                   |               | wcsnrtombs mishandles particular      |
|              |                  |          |                   |               | combinations of destination buffer... |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
+--------------+------------------+----------+                   +---------------+---------------------------------------+
| musl-utils   | CVE-2019-14697   | CRITICAL |                   | 1.1.20-r5     | musl libc through 1.1.23 has          |
|              |                  |          |                   |               | an x87 floating-point stack           |
|              |                  |          |                   |               | adjustment imbalance, related...      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-14697 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2020-28928   | MEDIUM   |                   | 1.1.20-r6     | In musl libc through 1.2.1,           |
|              |                  |          |                   |               | wcsnrtombs mishandles particular      |
|              |                  |          |                   |               | combinations of destination buffer... |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| sqlite-libs  | CVE-2019-8457    | CRITICAL | 3.26.0-r3         | 3.28.0-r0     | sqlite: heap out-of-bound             |
|              |                  |          |                   |               | read in function rtreenode()          |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-8457  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2019-19244   | HIGH     |                   | 3.28.0-r2     | sqlite: allows a crash                |
|              |                  |          |                   |               | if a sub-select uses both             |
|              |                  |          |                   |               | DISTINCT and window...                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19244 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2019-5018    |          |                   | 3.28.0-r0     | sqlite: Use-after-free in             |
|              |                  |          |                   |               | window function leading               |
|              |                  |          |                   |               | to remote code execution              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5018  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2020-11655   |          |                   | 3.28.0-r3     | sqlite: malformed window-function     |
|              |                  |          |                   |               | query leads to DoS                    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-11655 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2019-16168   | MEDIUM   |                   | 3.28.0-r1     | sqlite: Division by zero in           |
|              |                  |          |                   |               | whereLoopAddBtreeIndex in sqlite3.c   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-16168 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2019-19242   |          |                   | 3.28.0-r2     | sqlite: SQL injection in              |
|              |                  |          |                   |               | sqlite3ExprCodeTarget in expr.c       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19242 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+