search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images!
https://project-copacetic.github.io/copacetic/
Apache License 2.0
933 stars 62 forks source link

[BUG] Copa fails to patch all fixed CVEs for Oracle Linux (9-slim) docker image #762

Closed SaptarshiSarkar12 closed 1 week ago

SaptarshiSarkar12 commented 2 weeks ago

Version of copa

v0.7.0-50-gf32017a

Expected Behavior

Copa should be able to fix all the vulnerabilities reported by Trivy.

Actual Behavior

Trivy had reported 5 vulnerabilities which are fixed already. Trivy created a JSON file with details of the vulnerabilities and on passing it to Capo for patching the image, it patched only 2 (the krb-5 package vulnerabilities) out of the 5 vulnerabilities. Why couldn't it patch the gnutls package vulnerability? I saw that the fixed versions (that copa couldn't patch) were FIPS packages. I want to know more about FIPS packages that Copa is failing to patch? Is there any concern about the vulnerabilities that has their fixed version as FIPS packages? Or are they false positives?

Unfixed CVEs links:

image

Steps To Reproduce

  1. Pull ghcr.io/saptarshisarkar12/drifty-cli:master docker image. Alternatively, you can also pull its base image oraclelinux:9-slim.
  2. Run trivy image --ignore-unfixed --format json --output drifty-cli.master.json ghcr.io/saptarshisarkar12/drifty-cli:master to generate a report of fixed CVEs in JSON format.
  3. Run docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:v0.15.2 to start buildkitd daemon in detached mode.
  4. Run copa patch -i ghcr.io/saptarshisarkar12/drifty-gui:master -r drifty-gui.master.json -t master-patched --addr docker-container://buildkitd --ignore-errors to patch the image.
  5. We can see that out of the 5 vulnerabilities, only 2 have been patched (the vulnerabilities concerned with krb-5).

Are you willing to submit PRs to contribute to this bug fix?

ashnamehrotra commented 1 week ago

@SaptarshiSarkar12 oracle linux reports vulnerabilities in a way that causes false positives, you can see troubleshooting for more info https://project-copacetic.github.io/copacetic/website/next/troubleshooting

SaptarshiSarkar12 commented 1 week ago

Hi @ashnamehrotra :wave:! So, if all the unfixed CVEs false positives, then, is it safe to close them as false positives? Is Trivy responsible for reporting the false positives that oracle linux passes to it?

ashnamehrotra commented 1 week ago

@SaptarshiSarkar12 yes that is correct. If you run the resulting patched image from the update all/no scanner approach and check for gnutls package updates, it will show that there are no upgrades available to patch.

SaptarshiSarkar12 commented 1 week ago

@ashnamehrotra Okay. Thank you