Closed jawnsy closed 2 years ago
We are dealing with a cosmetic issue since fixes for all the CVE's reported here have been part of Sysbox for quite some time.
Looks like trivy
is not smart enough to realize that Sysbox is overriding the pointers to the oci-runc code by making use of a replace instruction in its go.mod
file.
@rodnymolina Thanks so much for the quick turnaround on this fix! FYI, I think you will need to apply the same changes to sysbox-fs and sysbox-mgr too: https://github.com/nestybox/sysbox-fs/blob/defca0dfc9bec25261f4b69f9d5cd1460695d458/go.mod#L19 and https://github.com/nestybox/sysbox-mgr/blob/9f1a13dc79214b66d0730d1bf85bc3eb60864050/go.mod#L20
These are in the full detailed output, but I omitted it from the summary view for the sake of brevity.
Once you merge this, I'm happy to help re-run the scan to "test" if you'd like! Are the Docker Hub images (e.g. nestybox/sysbox-in-docker:ubuntu-focal
) updated automatically on merge?
PRs for all the subrepos are in review now -- see runc's one here.
$ trivy image nestybox/sysbox-in-docker:ubuntu-focal
2021-12-06T19:53:33.897-0500 INFO Need to update DB
2021-12-06T19:53:33.897-0500 INFO Downloading DB...
25.09 MiB / 25.09 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.29 MiB p/s 3s
2021-12-06T19:53:44.788-0500 INFO Detected OS: ubuntu
2021-12-06T19:53:44.789-0500 INFO Detecting Ubuntu vulnerabilities...
2021-12-06T19:53:44.792-0500 INFO Number of language-specific files: 3
2021-12-06T19:53:44.793-0500 INFO Detecting gobinary vulnerabilities...
...
usr/bin/sysbox-fs (gobinary)
============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/bin/sysbox-mgr (gobinary)
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/bin/sysbox-runc (gobinary)
==============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
)
Problem fixed. Closing.
Images containing sysbox are flagged with a vulnerability in runc when scanned with trivy, which I believe is looking at the module manifest included in compiled Go programs.
I'm uncertain whether the issue affects sysbox, since sysbox-runc uses a replace rule in the go.mod, hence the actual version of runc that sysbox uses is not the same version of runc that is listed.
This is the relevant warning, which applies to all of the sysbox binaries (sysbox-fs, sysbox-runc, and sysbox-mgr):
To reproduce this locally, you can simply run:
trivy image nestybox/sysbox-in-docker:ubuntu-focal