search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images!
https://project-copacetic.github.io/copacetic/
Apache License 2.0
1.05k stars 70 forks source link

Is Copa only fixing OS type vulnerabilities? #467

Closed ajmal-yazdani closed 10 months ago

ajmal-yazdani commented 10 months ago

What is your question?

Hi Team/ @sozercan,

I have done patching for bitnami redis image using Copa and while generating vulnerabilities JSON file I am using below command:

sudo trivy image -f json -o redis.11.15.1.json bitnami/redis:7.0.5-debian-11-r15

Please not I am not using --vuln-type os --ignore-unfixed.

Now I patched this with Copa using below command:

sudo copa patch -i bitnami/redis:7.0.5-debian-11-r15 -r redis.11.15.1.json -t 11.15.1-patched --addr docker-container://buildkitd

After patching when I am doing Trivy scan with flags --vuln-type os --ignore-unfixed`, then zero vulnerabilities. Awesome! :)

$ sudo trivy image --vuln-type os --ignore-unfixed bitnami/redis:11.15.1-patched | grep Total 2024-01-10T09:04:07.339Z INFO Vulnerability scanning is enabled 2024-01-10T09:04:07.339Z INFO Secret scanning is enabled 2024-01-10T09:04:07.339Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-01-10T09:04:07.339Z INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection 2024-01-10T09:04:12.470Z INFO Detected OS: debian 2024-01-10T09:04:12.470Z INFO Detecting Debian vulnerabilities... Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

But when I am doing Trivy scan with-out flags --vuln-type os --ignore-unfixed`, then lots of vulnerabilities still detected.

$ sudo trivy image bitnami/redis:11.15.1-patched | grep Total 2024-01-10T09:04:24.187Z INFO Vulnerability scanning is enabled 2024-01-10T09:04:24.187Z INFO Secret scanning is enabled 2024-01-10T09:04:24.187Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-01-10T09:04:24.187Z INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection 2024-01-10T09:04:28.434Z INFO Detected OS: debian 2024-01-10T09:04:28.434Z INFO Detecting Debian vulnerabilities... 2024-01-10T09:04:28.449Z INFO Number of language-specific files: 2 2024-01-10T09:04:28.449Z INFO Detecting gobinary vulnerabilities... Total: 104 (UNKNOWN: 0, LOW: 77, MEDIUM: 18, HIGH: 7, CRITICAL: 2) Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

What majorly I am seeing gobinary vulnerabilities. Is there a way to fix all these using Copa?

ajmal-yazdani commented 10 months ago

One more point:

We're using twistlock (prisma cloud) for image scan and the Vulnerability reports also generates in JSON format. Attached one sample: redis1.json

If I am trying to give this JSON file to Copa patch, it's saying not supported.

$ sudo copa patch -i bitnami/redis:7.0.5-debian-11-r15 -r redis1.json -t 7.0.5-patched --addr docker-container://buildkitd

Error: redis1.json is not a supported scan report format

Can we do something here to solve these Vulnerability with Copa?

sozercan commented 10 months ago

@ajmal-yazdani copa supports patching OS level vulnerabilities at this time (package manager, like apt, apk, etc, supported components). #147 tracks potentially supporting app-level vulns.