search

mondoohq / cnspec

An open source, cloud-native security to protect everything from build to runtime
https://cnspec.io
Other
248 stars 11 forks source link

cnspec reports removed packages as having CVEs #537

Open tas50 opened 1 year ago

tas50 commented 1 year ago

Describe the bug When you remove, but don't purge a package on Debian/Ubuntu, cnspec still scans it as an installed package and reports CVEs in the package.

To Reproduce Steps to reproduce the behavior:

  1. apt-get install foo; apt-get remove foo
  2. Wait for some CVEs to show up in foo
  3. cnspec scan
  4. Note you're seeing CVEs for foo even though it's not installed

Expected behavior A removed package should not show as having CVEs. All that's left when it's not purged is some config files.

Screenshots or CLI Output

Vulnerabilities:
  ■  SCORE  PACKAGE                          INSTALLED      FIXED               AVAILABLE
  ■  8.6    grub-efi                         2.02+dfsg1-20  2.06-3~deb11u4      2.06-3~deb11u5
  ■  8.6    grub-efi-amd64                   2.02+dfsg1-20  2.06-3~deb11u4      2.06-3~deb11u5
  ■  7.8    libnginx-mod-http-auth-pam       1.18.0-6.1     1.18.0-6.1+deb11u3  1.18.0-6.1+deb11u3
  ■  7.8    libnginx-mod-http-dav-ext        1.18.0-6.1     1.18.0-6.1+deb11u3  1.18.0-6.1+deb11u3
  ■  7.8    libnginx-mod-http-echo           1.18.0-6.1     1.18.0-6.1+deb11u3  1.18.0-6.1+deb11u3
  ■  7.8    libnginx-mod-http-geoip2         1.18.0-6.1     1.18.0-6.1+deb11u3  1.18.0-6.1+deb11u3
  ■  7.8    libnginx-mod-http-subs-filter    1.18.0-6.1     1.18.0-6.1+deb11u3  1.18.0-6.1+deb11u3
  ■  7.8    libnginx-mod-http-upstream-fair  1.18.0-6.1     1.18.0-6.1+deb11u3  1.18.0-6.1+deb11u3
  ■  7.8    libnginx-mod-stream-geoip2       1.18.0-6.1     1.18.0-6.1+deb11u3  1.18.0-6.1+deb11u3

Overall CVSS score: 8.6
root@timnas:/etc# dpkg -l | grep grub
ii  grub-common                          2.06-3~deb11u5                  amd64        GRand Unified Bootloader (common files)
rc  grub-efi                             2.02+dfsg1-20                   amd64        GRand Unified Bootloader, version 2 (dummy package)
rc  grub-efi-amd64                       2.02+dfsg1-20                   amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii  grub-efi-amd64-bin                   2.06-3~deb11u5                  amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
ii  grub-efi-amd64-signed                1+2.06+3~deb11u5                amd64        GRand Unified Bootloader, version 2 (amd64 UEFI signed by Debian)
ii  grub-pc                              2.06-3~deb11u5                  amd64        GRand Unified Bootloader, version 2 (PC/BIOS version)
ii  grub-pc-bin                          2.06-3~deb11u5                  amd64        GRand Unified Bootloader, version 2 (PC/BIOS modules)
ii  grub2-common                         2.06-3~deb11u5                  amd64        GRand Unified Bootloader (common files for version 2)
root@timnas:/etc# dpkg -l | grep libnginx
rc  libnginx-mod-http-auth-pam           1.18.0-6.1                      amd64        PAM authentication module for Nginx
rc  libnginx-mod-http-dav-ext            1.18.0-6.1                      amd64        WebDAV missing commands support for Nginx
rc  libnginx-mod-http-echo               1.18.0-6.1                      amd64        Bring echo and more shell style goodies to Nginx
ii  libnginx-mod-http-geoip              1.18.0-6.1+deb11u3              amd64        GeoIP HTTP module for Nginx
rc  libnginx-mod-http-geoip2             1.18.0-6.1                      amd64        GeoIP2 HTTP module for Nginx
ii  libnginx-mod-http-image-filter       1.18.0-6.1+deb11u3              amd64        HTTP image filter module for Nginx
rc  libnginx-mod-http-subs-filter        1.18.0-6.1                      amd64        Substitution filter module for Nginx
rc  libnginx-mod-http-upstream-fair      1.18.0-6.1                      amd64        Nginx Upstream Fair Proxy Load Balancer
ii  libnginx-mod-http-xslt-filter        1.18.0-6.1+deb11u3              amd64        XSLT Transformation module for Nginx
ii  libnginx-mod-mail                    1.18.0-6.1+deb11u3              amd64        Mail module for Nginx
ii  libnginx-mod-stream                  1.18.0-6.1+deb11u3              amd64        Stream module for Nginx
ii  libnginx-mod-stream-geoip            1.18.0-6.1+deb11u3              amd64        GeoIP Stream module for Nginx
rc  libnginx-mod-stream-geoip2           1.18.0-6.1                      amd64        GeoIP2 Stream module for Nginx

Desktop (please complete the following information):

chris-rock commented 1 year ago

This needs more discussion, I think this is correct behavior to show that

atomic111 commented 1 year ago

@tas50 i think the behavior is correct because the package file is still on the system, and this means the vulnerability is still on the system