Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy-db >= #4383 (published after 2023-04-06T00:12:04) contains incorrect References #302

Open
adamcohen2 opened this issue Apr 14, 2023 · 0 comments
Open

trivy-db >= #4383 (published after 2023-04-06T00:12:04) contains incorrect References #302

adamcohen2 opened this issue Apr 14, 2023 · 0 comments

Comments

@adamcohen2
Copy link

  1. Run golang Docker container:

    docker run -it --rm golang:1.20-alpine sh

  2. Install required packages

    /go # apk update && apk add curl jq

  3. Install oras

    /go # mkdir /workdir && cd /workdir
/workdir # VERSION="1.0.0"
/workdir # curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
/workdir # mkdir -p oras-install/
/workdir # tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
/workdir # mv oras-install/oras /usr/local/bin/
/workdir # rm -rf oras_${VERSION}_*.tar.gz oras-install/

  4. Download and extract trivy-db #4383 created by this job:

    /workdir # oras pull ghcr.io/aquasecurity/trivy-db@sha256:ed40100e33e0814d383d5a305f534d6dcf02f8346573c6d99c87c5c9997b02c9

           Downloading 6945b6287a77 db.tar.gz
           Downloaded  6945b6287a77 db.tar.gz
           Pulled [registry] ghcr.io/aquasecurity/trivy-db@sha256:ed40100e33e0814d383d5a305f534d6dcf02f8346573c6d99c87c5c9997b02c9
           Digest: sha256:ed40100e33e0814d383d5a305f534d6dcf02f8346573c6d99c87c5c9997b02c9

/workdir # tar -xzf db.tar.gz
/workdir # jq . metadata.json

           {
             "Version": 2,
             "NextUpdate": "2023-04-06T12:07:02.927682586Z",
             "UpdatedAt": "2023-04-06T06:07:02.927682986Z",
             "DownloadedAt": "0001-01-01T00:00:00Z"
           }

  5. Create go app to read contents of DB

    /workdir # go mod init example.com/m

/workdir # cat <<- "EOF" > main.go
package main

import(
  bolt "go.etcd.io/bbolt"
  "log"
  "time"
  "fmt"
)

func main() {
  db, err := bolt.Open("trivy.db", 0600, &bolt.Options{Timeout: 1 * time.Second})
  if err != nil {
    log.Fatal(err)
  }
  defer db.Close()

  db.View(func(tx *bolt.Tx) error {
    b := tx.Bucket([]byte("vulnerability"))
    v := b.Get([]byte("CVE-2020-12413"))

    fmt.Printf("%s\n", v)

    return nil
  })
}
EOF

/workdir # go mod tidy

  6. Execute go app, notice that elements in the References field have been split by the space character:

    /workdir # go run . | jq .References

[
  "Attack:",
  "Brinkmann,",
  "Explanation",
  "Exploiting",
  "Finding",
  "Marcus",
  "Merget,",
  "Most-Significant-Bit-Oracles",
  "Raccoon",
  "Robert",
  "TLS-DH(E)",
  "Thorough",
  "al.",
  "and",
  "be",
  "by",
  "can",
  "et",
  "found:",
  "https://access.redhat.com/security/cve/CVE-2020-12413",
  "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2020-12413",
  "https://nvd.nist.gov/vuln/detail/CVE-2020-12413",
  "https://raccoon-attack.com/",
  "https://raccoon-attack.com/RacoonAttack.pdf",
  "https://www.cve.org/CVERecord?id=CVE-2020-12413",
  "in"
]

  7. Attempt again with older trivy-db #4382 created by this job, notice that elements in the References field have not been split by the space character:

    /workdir # oras pull ghcr.io/aquasecurity/trivy-db@sha256:50491c946bf38251af9ef94a0f551023ffa4752c96d89ff5d05bc6aaa3e9e457

           Downloading 96872b37c647 db.tar.gz
           Downloaded  96872b37c647 db.tar.gz
           Pulled [registry] ghcr.io/aquasecurity/trivy-db@sha256:50491c946bf38251af9ef94a0f551023ffa4752c96d89ff5d05bc6aaa3e9e457
           Digest: sha256:50491c946bf38251af9ef94a0f551023ffa4752c96d89ff5d05bc6aaa3e9e457

/workdir # tar -xzf db.tar.gz
/workdir # jq . metadata.json

           {
             "Version": 2,
             "NextUpdate": "2023-04-06T06:12:04.626467667Z",
             "UpdatedAt": "2023-04-06T00:12:04.626468067Z",
             "DownloadedAt": "0001-01-01T00:00:00Z"
           }

/workdir # go run . | jq .References

           [
             "Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E) by Robert Merget, Marcus Brinkmann, et al.",
             "Thorough Explanation can be found: https://raccoon-attack.com/RacoonAttack.pdf",
             "https://access.redhat.com/security/cve/CVE-2020-12413",
             "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2020-12413",
             "https://raccoon-attack.com/"
           ]

Also, should the References field contain non URL values? It seems like it shouldn't.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adamcohen2