digitalknk
commented
1 year ago @mrlt8 mediamtx verison 1.2.0+ fixes the high vulnerability, the rest actually are not an issue since it pertains to the build container image that is used python and the os itself, these usually are resolved when the container image is updated or rebuilt.
@rswiz in the future adding this flag to trivy would provide a cleaner more focus result --vuln-type library when running it against a pre-built container. For example: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/caches:/root/.cache/ aquasec/trivy:latest image --vuln-type library mrlt8/wyze-bridge
Here is the output for reference
┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ pip (METADATA) │ CVE-2023-5752 │ MEDIUM │ fixed │ 23.2.1 │ 23.3 │ When installing a package from a Mercurial VCS URL (ie │
│ │ │ │ │ │ │ "pip... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5752 │
└────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘
app/mediamtx (gobinary)
=======================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH │ fixed │ v0.15.0 │ 0.17.0 │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
│ ├────────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-44487 │ MEDIUM │ │ │ │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable │
│ │ │ │ │ │ │ to a DDoS attack... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-44487 │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘Considering that this container would (or at least should be :-) )be running on an internal network anyways and not really reachable to the outside quick vulnerability fixes could be optional? Anyhoot, just as @rswiz said though thanks for the hard work @mrlt8
rswiz
Hello,
I Recently ran the Trivy container scanner and found several vulnerabilities of varying severity. The summary of running my scan last night is below.
Total: 84 (UNKNOWN: 0, LOW: 59, MEDIUM: 21, HIGH: 3, CRITICAL: 1)
My version of wyze-bridge is from October 9th 2023, and the command I used to run the scan is below.
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:latest image mrlt8/wyze-bridge
Thank you for your time and attention. I love the work that you've done on this utility, and hope to help by raising this to your attention.