Gobinary scan gives inconsistent results on image #6669

FlorisFeddema · 2024-05-10T09:42:51Z

FlorisFeddema
May 10, 2024

Description

Our pipeline is inconsistent with the CVE results it generates.
When we scan quay.io/argoproj/argocd:v2.11.0 we sometimes get more vulnerabilities in usr/local/bin/argocd than the next time it runs. This means we can not correctly evaluate which CVE's are present on the product.

An example of a package showing this weird behaviour:
VulnerabilityID: CVE-2022-29165
PkgName: github.com/argoproj/argo-cd/v2
PkgIdentifier: { "PURL": "pkg:golang/github.com/argoproj/argo-cd/[email protected]", "UID": "6b7f96766b3680e6" }
InstalledVersion: v0.26.11
FixedVersion: 2.3.4, 2.2.9, 2.1.15

This is a CVE from an ArgoCD version in 2022 but it is showing in the latest ArgoCD image.
When we compare the output of 2 runs (one with the old vulnerabilities and one without) there are no differences in trivyDB size, used trivy or argocd image sha.

While we run this in our Azure Devops pipelines it happens a lot, if we try to run the trivy command locally it does not happen.

Desired Behavior

It should not show the old ArgoCD vulnerabilities and be consistent over each run.

Actual Behavior

Every other pipeline run it deletes or adds the same old ArgoCD CVE's. We only see this behaviour happen with pkg:golang/github.com/argoproj/argo-cd/[email protected], while this version of the package should not be available on the scanned image.

Reproduction Steps

1. Scan quay.io/argoproj/argocd:v2.11.0
2. Save results
3. Scan quay.io/argoproj/argocd:v2.11.0 again
4. Save results
5. Compare results and see the difference in vulnerabilities.

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

$ docker run --rm -v trivydb:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock -v $workingDirectory/.trivy:/resultdir aquasec/trivy image --exit-code 0 --severity HIGH,CRITICAL --scanners vuln -f json --debug -o /resultdir/results.json quay.io/argoproj/argocd:v2.11.0

2024-05-10T09:05:53.4209441Z 2024-05-10T09:05:53Z	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2024-05-10T09:05:53.4210437Z 2024-05-10T09:05:53Z	DEBUG	Ignore statuses	statuses=[]
2024-05-10T09:05:53.4222946Z 2024-05-10T09:05:53Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-05-10T09:05:53.4224080Z 2024-05-10T09:05:53Z	DEBUG	DB update was skipped because the local DB is the latest
2024-05-10T09:05:53.4225289Z 2024-05-10T09:05:53Z	DEBUG	DB info	schema=2 updated_at=2024-05-10T06:13:07.891406002Z next_update=2024-05-10T12:13:07.891405742Z downloaded_at=2024-05-10T09:05:41.49043951Z
2024-05-10T09:05:53.4225775Z 2024-05-10T09:05:53Z	INFO	Vulnerability scanning is enabled
2024-05-10T09:05:53.4226102Z 2024-05-10T09:05:53Z	DEBUG	Vulnerability type	type=[os library]
2024-05-10T09:05:53.4226659Z 2024-05-10T09:05:53Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-10T09:05:54.1816125Z 2024-05-10T09:05:54Z	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-10T09:05:54.3101051Z 2024-05-10T09:05:54Z	DEBUG	[image] Detected image ID	image_id="sha256:0046c3e43748c8d738a606f84e70637c7c2f78aa31788e7803be29f5a13aca6d"
2024-05-10T09:05:54.3104880Z 2024-05-10T09:05:54Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:59c56aee1fb4dbaeb334aef06088b49902105d1ea0c15a9e5a2a9ce560fa4c5d sha256:9525525883b59e6047a41f1ca486d0278d5b38cbe41c74746b309dc9ba691758 sha256:99705242622ecaaf37128178bdcf61195c8cf7519cd94d9fad7d88ff6ded749a sha256:54d269c27ad140624e70e22e1b55b9d2371bca46bdafe85c11a3b175021cd95a sha256:48d4f43783d7ae96886c2220f39e5ee95598b450027b9a9efc82d378e44d270b sha256:9b1a8b94e1f713d59c9d8d228480d91430c1d39f34e0f574910f4a3f678510da sha256:e98ed0e08f4d43dbb990d311c5da2ec09935915b25f557967161ebc3c53b0d0f sha256:2449c82c12fb50d5cca5d48f6f6cbe7ff67210826be789e80e417d2a0fdeb288 sha256:37fca0aedb427787a21df8b977f5909c4a8e59cb508cf6da33ed2c81fc08ce88 sha256:7f074780069bf500dd6f299bbfa09f50a63ff85ddf0ba843f32392b59bcf91b2 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:72c19920c2cc08b499509a821d4c544c6a3b4cea871284be7e93f8e38debbc10 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162 sha256:146ec7b789795fef1eabf03d5157773df5cb7cc2bd30bb3d9131cc1558bc2004]
2024-05-10T09:05:54.3107527Z 2024-05-10T09:05:54Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:59c56aee1fb4dbaeb334aef06088b49902105d1ea0c15a9e5a2a9ce560fa4c5d]
2024-05-10T09:05:54.3119481Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:0046c3e43748c8d738a606f84e70637c7c2f78aa31788e7803be29f5a13aca6d"
2024-05-10T09:05:54.3122623Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:9525525883b59e6047a41f1ca486d0278d5b38cbe41c74746b309dc9ba691758"
2024-05-10T09:05:54.3123305Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:99705242622ecaaf37128178bdcf61195c8cf7519cd94d9fad7d88ff6ded749a"
2024-05-10T09:05:54.3123923Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:54d269c27ad140624e70e22e1b55b9d2371bca46bdafe85c11a3b175021cd95a"
2024-05-10T09:05:54.3124522Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:48d4f43783d7ae96886c2220f39e5ee95598b450027b9a9efc82d378e44d270b"
2024-05-10T09:05:54.3125393Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:59c56aee1fb4dbaeb334aef06088b49902105d1ea0c15a9e5a2a9ce560fa4c5d"
2024-05-10T09:05:54.5195171Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:9b1a8b94e1f713d59c9d8d228480d91430c1d39f34e0f574910f4a3f678510da"
2024-05-10T09:05:54.5212376Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:e98ed0e08f4d43dbb990d311c5da2ec09935915b25f557967161ebc3c53b0d0f"
2024-05-10T09:05:54.6784344Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:2449c82c12fb50d5cca5d48f6f6cbe7ff67210826be789e80e417d2a0fdeb288"
2024-05-10T09:05:54.8042297Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:37fca0aedb427787a21df8b977f5909c4a8e59cb508cf6da33ed2c81fc08ce88"
2024-05-10T09:05:54.9512161Z 2024-05-10T09:05:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:7f074780069bf500dd6f299bbfa09f50a63ff85ddf0ba843f32392b59bcf91b2"
2024-05-10T09:05:55.0691428Z 2024-05-10T09:05:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:72c19920c2cc08b499509a821d4c544c6a3b4cea871284be7e93f8e38debbc10"
2024-05-10T09:05:55.1115343Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="" -ldflags=[]
2024-05-10T09:05:55.1116092Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.	dependency=""
2024-05-10T09:05:55.1757690Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="" -ldflags=[-s -w -X sigs.k8s.io/kustomize/api/provenance.version=v5.2.1 -X sigs.k8s.io/kustomize/api/provenance.gitCommit=e71072b90b0ecf9eef2f2980765fc0b7427ab7d2 -X sigs.k8s.io/kustomize/api/provenance.buildDate=2023-10-19T20:13:51Z]
2024-05-10T09:05:55.1758509Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="sigs.k8s.io/kustomize/api"
2024-05-10T09:05:55.1759026Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="sigs.k8s.io/kustomize/cmd/config"
2024-05-10T09:05:55.1759511Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="sigs.k8s.io/kustomize/kustomize/v5"
2024-05-10T09:05:55.1760165Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="sigs.k8s.io/kustomize/kyaml"
2024-05-10T09:05:55.1767088Z 2024-05-10T09:05:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
2024-05-10T09:05:55.1929064Z 2024-05-10T09:05:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:146ec7b789795fef1eabf03d5157773df5cb7cc2bd30bb3d9131cc1558bc2004"
2024-05-10T09:05:55.7235447Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="helm.sh/helm/v3"
2024-05-10T09:05:55.7242803Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="helm.sh/helm/v3" -ldflags=[]
2024-05-10T09:05:55.7248470Z 2024-05-10T09:05:55Z	DEBUG	[gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.	dependency="helm.sh/helm/v3"
2024-05-10T09:05:57.4483759Z 2024-05-10T09:05:57Z	DEBUG	[dpkg] Unable to parse the available file	file="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-05-10T09:05:57.6144360Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/argoproj/argo-cd/v2"
2024-05-10T09:05:57.6148279Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/argoproj/argo-cd/v2" -ldflags=[-X github.com/argoproj/argo-cd/v2/common.version=2.11.0 -X github.com/argoproj/argo-cd/v2/common.buildDate=2024-05-07T16:01:41Z -X github.com/argoproj/argo-cd/v2/common.gitCommit=d3f33c00197e7f1d16f2a73ce1aeced464b07175 -X github.com/argoproj/argo-cd/v2/common.gitTreeState=clean -X github.com/argoproj/argo-cd/v2/common.kubectlVersion=v0.26.11 -X "github.com/argoproj/argo-cd/v2/common.extraBuildInfo=" -extldflags "-static"]
2024-05-10T09:05:57.6192531Z 2024-05-10T09:05:57Z	DEBUG	No secrets found in container image config
2024-05-10T09:05:57.6378683Z 2024-05-10T09:05:57Z	INFO	Detected OS	family="ubuntu" version="22.04"
2024-05-10T09:05:57.6379123Z 2024-05-10T09:05:57Z	INFO	[ubuntu] Detecting vulnerabilities...	os_version="22.04" pkg_num=162
2024-05-10T09:05:57.6420605Z 2024-05-10T09:05:57Z	INFO	Number of language-specific files	num=3
2024-05-10T09:05:57.6421012Z 2024-05-10T09:05:57Z	INFO	[gobinary] Detecting vulnerabilities...
2024-05-10T09:05:57.6421699Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Scanning packages from the file	file_path="usr/local/bin/helm"
2024-05-10T09:05:57.6455753Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="helm.sh/helm/v3"
2024-05-10T09:05:57.6491340Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Scanning packages from the file	file_path="usr/local/bin/kustomize"
2024-05-10T09:05:57.6499068Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="sigs.k8s.io/kustomize/api"
2024-05-10T09:05:57.6500634Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="sigs.k8s.io/kustomize/cmd/config"
2024-05-10T09:05:57.6502019Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="sigs.k8s.io/kustomize/kustomize/v5"
2024-05-10T09:05:57.6502515Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="sigs.k8s.io/kustomize/kyaml"
2024-05-10T09:05:57.6533265Z 2024-05-10T09:05:57Z	DEBUG	[gobinary] Scanning packages from the file	file_path="usr/local/bin/argocd"


This results in the following output file:

 {
   "SchemaVersion": 2,
   "CreatedAt": "2024-05-10T09:05:57.664510563Z",
   "ArtifactName": "quay.io/argoproj/argocd:v2.11.0",
   "ArtifactType": "container_image",
   "Metadata": {
     "OS": {
       "Family": "ubuntu",
       "Name": "22.04"
     },
     "ImageID": "sha256:0046c3e43748c8d738a606f84e70637c7c2f78aa31788e7803be29f5a13aca6d",
     "DiffIDs": [
       "sha256:59c56aee1fb4dbaeb334aef06088b49902105d1ea0c15a9e5a2a9ce560fa4c5d",
       "sha256:9525525883b59e6047a41f1ca486d0278d5b38cbe41c74746b309dc9ba691758",
       "sha256:99705242622ecaaf37128178bdcf61195c8cf7519cd94d9fad7d88ff6ded749a",
       "sha256:54d269c27ad140624e70e22e1b55b9d2371bca46bdafe85c11a3b175021cd95a",
       "sha256:48d4f43783d7ae96886c2220f39e5ee95598b450027b9a9efc82d378e44d270b",
       "sha256:9b1a8b94e1f713d59c9d8d228480d91430c1d39f34e0f574910f4a3f678510da",
       "sha256:e98ed0e08f4d43dbb990d311c5da2ec09935915b25f557967161ebc3c53b0d0f",
       "sha256:2449c82c12fb50d5cca5d48f6f6cbe7ff67210826be789e80e417d2a0fdeb288",
       "sha256:37fca0aedb427787a21df8b977f5909c4a8e59cb508cf6da33ed2c81fc08ce88",
       "sha256:7f074780069bf500dd6f299bbfa09f50a63ff85ddf0ba843f32392b59bcf91b2",
       "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
       "sha256:72c19920c2cc08b499509a821d4c544c6a3b4cea871284be7e93f8e38debbc10",
       "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
       "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162",
       "sha256:146ec7b789795fef1eabf03d5157773df5cb7cc2bd30bb3d9131cc1558bc2004"
     ],
     "RepoTags": [
       "quay.io/argoproj/argocd:v2.11.0"
     ],
     "RepoDigests": [
       "quay.io/argoproj/argocd@sha256:e81cfc1f5761edc54684e00ca7f368a2a95ccd80a032ad9f1f97eaa3fdfb06c7"
     ],
     "ImageConfig": {
       "architecture": "amd64",
       "created": "2024-05-07T16:18:50.191369159Z",
       "history": [
         {
           "created": "2023-06-28T08:37:40.107416121Z",
           "created_by": "/bin/sh -c #(nop)  ARG RELEASE",
           "empty_layer": true
         },
         {
           "created": "2023-06-28T08:37:40.172787047Z",
           "created_by": "/bin/sh -c #(nop)  ARG LAUNCHPAD_BUILD_ARCH",
           "empty_layer": true
         },
         {
           "created": "2023-06-28T08:37:40.235648065Z",
           "created_by": "/bin/sh -c #(nop)  LABEL org.opencontainers.image.ref.name=ubuntu",
           "empty_layer": true
         },
         {
           "created": "2023-06-28T08:37:40.292202878Z",
           "created_by": "/bin/sh -c #(nop)  LABEL org.opencontainers.image.version=22.04",
           "empty_layer": true
         },
         {
           "created": "2023-06-28T08:37:42.055763636Z",
           "created_by": "/bin/sh -c #(nop) ADD file:140fb5108b4a2861b5718ad03b4a5174bba03589ea8d4c053e6a0b282f439ff3 in / "
         },
         {
           "created": "2023-06-28T08:37:42.319109064Z",
           "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:03:09.868842223Z",
           "created_by": "LABEL org.opencontainers.image.source=https://github.com/argoproj/argo-cd",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:03:09.868842223Z",
           "created_by": "USER root",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:03:09.868842223Z",
           "created_by": "ENV ARGOCD_USER_ID=999",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:03:09.868842223Z",
           "created_by": "ENV DEBIAN_FRONTEND=noninteractive",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:03:09.868842223Z",
           "created_by": "RUN /bin/sh -c groupadd -g $ARGOCD_USER_ID argocd \u0026\u0026     useradd -r -u $ARGOCD_USER_ID -g argocd argocd \u0026\u0026     mkdir -p /home/argocd \u0026\u0026     chown argocd:0 /home/argocd \u0026\u0026     chmod g=u /home/argocd \u0026\u0026     apt-get update \u0026\u0026     apt-get dist-upgrade -y \u0026\u0026     apt-get install -y     git git-lfs tini gpg tzdata connect-proxy \u0026\u0026     apt-get clean \u0026\u0026     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:10.012096384Z",
           "created_by": "COPY hack/gpg-wrapper.sh /usr/local/bin/gpg-wrapper.sh # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:10.05175956Z",
           "created_by": "COPY hack/git-verify-wrapper.sh /usr/local/bin/git-verify-wrapper.sh # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:24.518739818Z",
           "created_by": "COPY /usr/local/bin/helm /usr/local/bin/helm # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:24.630418602Z",
           "created_by": "COPY /usr/local/bin/kustomize /usr/local/bin/kustomize # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:24.67154539Z",
           "created_by": "COPY entrypoint.sh /usr/local/bin/entrypoint.sh # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:24.854338127Z",
           "created_by": "RUN /bin/sh -c ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:24.878326357Z",
           "created_by": "WORKDIR /app/config/ssh",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:25.041217014Z",
           "created_by": "RUN /bin/sh -c touch ssh_known_hosts \u0026\u0026     ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:25.061633638Z",
           "created_by": "WORKDIR /app/config",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:25.241839677Z",
           "created_by": "RUN /bin/sh -c mkdir -p tls \u0026\u0026     mkdir -p gpg/source \u0026\u0026     mkdir -p gpg/keys \u0026\u0026     chown argocd gpg/keys \u0026\u0026     chmod 0700 gpg/keys # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:03:25.241839677Z",
           "created_by": "ENV USER=argocd",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:03:25.241839677Z",
           "created_by": "USER 999",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:03:25.279955227Z",
           "created_by": "WORKDIR /home/argocd",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:18:50.099424914Z",
           "created_by": "COPY /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/ # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:18:50.099424914Z",
           "created_by": "USER root",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:18:50.191369159Z",
           "created_by": "RUN /bin/sh -c ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server \u0026\u0026     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server \u0026\u0026     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-cmp-server \u0026\u0026     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller \u0026\u0026     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex \u0026\u0026     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-notifications \u0026\u0026     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller \u0026\u0026     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth # buildkit",
           "comment": "buildkit.dockerfile.v0"
         },
         {
           "created": "2024-05-07T16:18:50.191369159Z",
           "created_by": "USER 999",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         },
         {
           "created": "2024-05-07T16:18:50.191369159Z",
           "created_by": "ENTRYPOINT [\"/usr/bin/tini\" \"--\"]",
           "comment": "buildkit.dockerfile.v0",
           "empty_layer": true
         }
       ],
       "os": "linux",
       "rootfs": {
         "type": "layers",
         "diff_ids": [
           "sha256:59c56aee1fb4dbaeb334aef06088b49902105d1ea0c15a9e5a2a9ce560fa4c5d",
           "sha256:9525525883b59e6047a41f1ca486d0278d5b38cbe41c74746b309dc9ba691758",
           "sha256:99705242622ecaaf37128178bdcf61195c8cf7519cd94d9fad7d88ff6ded749a",
           "sha256:54d269c27ad140624e70e22e1b55b9d2371bca46bdafe85c11a3b175021cd95a",
           "sha256:48d4f43783d7ae96886c2220f39e5ee95598b450027b9a9efc82d378e44d270b",
           "sha256:9b1a8b94e1f713d59c9d8d228480d91430c1d39f34e0f574910f4a3f678510da",
           "sha256:e98ed0e08f4d43dbb990d311c5da2ec09935915b25f557967161ebc3c53b0d0f",
           "sha256:2449c82c12fb50d5cca5d48f6f6cbe7ff67210826be789e80e417d2a0fdeb288",
           "sha256:37fca0aedb427787a21df8b977f5909c4a8e59cb508cf6da33ed2c81fc08ce88",
           "sha256:7f074780069bf500dd6f299bbfa09f50a63ff85ddf0ba843f32392b59bcf91b2",
           "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
           "sha256:72c19920c2cc08b499509a821d4c544c6a3b4cea871284be7e93f8e38debbc10",
           "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
           "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162",
           "sha256:146ec7b789795fef1eabf03d5157773df5cb7cc2bd30bb3d9131cc1558bc2004"
         ]
       },
       "config": {
         "Entrypoint": [
           "/usr/bin/tini",
           "--"
         ],
         "Env": [
           "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
           "ARGOCD_USER_ID=999",
           "DEBIAN_FRONTEND=noninteractive",
           "USER=argocd"
         ],
         "Labels": {
           "org.opencontainers.image.ref.name": "ubuntu",
           "org.opencontainers.image.source": "https://github.com/argoproj/argo-cd",
           "org.opencontainers.image.version": "22.04"
         },
         "User": "999",
         "WorkingDir": "/home/argocd"
       }
     }
   },
   "Results": [
     {
       "Target": "quay.io/argoproj/argocd:v2.11.0 (ubuntu 22.04)",
       "Class": "os-pkgs",
       "Type": "ubuntu"
     },
     {
       "Target": "usr/local/bin/argocd",
       "Class": "lang-pkgs",
       "Type": "gobinary",
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2022-29165",
           "PkgName": "github.com/argoproj/argo-cd/v2",
           "PkgIdentifier": {
             "PURL": "pkg:golang/github.com/argoproj/argo-cd/[email protected]",
             "UID": "6b7f96766b3680e6"
           },
           "InstalledVersion": "v0.26.11",
           "FixedVersion": "2.3.4, 2.2.9, 2.1.15",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-29165",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled",
           "Description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.",
           "Severity": "CRITICAL",
           "CweIDs": [
             "CWE-290",
             "CWE-200",
             "CWE-287"
           ],
           "VendorSeverity": {
             "ghsa": 4,
             "nvd": 4,
             "redhat": 3
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
               "V3Score": 10
             },
             "nvd": {
               "V2Vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
               "V2Score": 9.3,
               "V3Score": 10
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
               "V3Score": 10
             }
           },
           "References": [
             "github.com/argoproj/argo-cd",
             "https://access.redhat.com/security/cve/CVE-2022-29165",
             "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15",
             "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9",
             "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4",
             "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
             "https://nvd.nist.gov/vuln/detail/CVE-2022-29165",
             "https://www.cve.org/CVERecord?id=CVE-2022-29165"
           ],
           "PublishedDate": "2022-05-20T15:15:10.21Z",
           "LastModifiedDate": "2022-06-02T15:26:55.43Z"
         },
         {
           "VulnerabilityID": "CVE-2022-31035",
           "PkgName": "github.com/argoproj/argo-cd/v2",
           "PkgIdentifier": {
             "PURL": "pkg:golang/github.com/argoproj/argo-cd/[email protected]",
             "UID": "6b7f96766b3680e6"
           },
           "InstalledVersion": "v0.26.11",
           "FixedVersion": "2.1.16, 2.2.10, 2.3.5, 2.4.1",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31035",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI",
           "Description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no completely-safe workarounds besides upgrading.",
           "Severity": "CRITICAL",
           "CweIDs": [
             "CWE-79"
           ],
           "VendorSeverity": {
             "ghsa": 4,
             "nvd": 2,
             "redhat": 3
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
               "V3Score": 9
             },
             "nvd": {
               "V2Vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
               "V2Score": 3.5,
               "V3Score": 5.4
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
               "V3Score": 8.8
             }
           },
           "References": [
             "https://access.redhat.com/security/cve/CVE-2022-31035",
             "https://argo-cd.readthedocs.io/en/stable/user-guide/external-url",
             "https://argo-cd.readthedocs.io/en/stable/user-guide/external-url/",
             "https://github.com/argoproj/argo-cd",
             "https://github.com/argoproj/argo-cd/commit/8bc3ef690de29c68a36f473908774346a44d4038",
             "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj",
             "https://nvd.nist.gov/vuln/detail/CVE-2022-31035",
             "https://www.cve.org/CVERecord?id=CVE-2022-31035"
           ],
           "PublishedDate": "2022-06-27T19:15:08.457Z",
           "LastModifiedDate": "2022-07-07T17:09:40.177Z"
         },
         {
           "VulnerabilityID": "CVE-2022-1025",
           "PkgName": "github.com/argoproj/argo-cd/v2",
           "PkgIdentifier": {
             "PURL": "pkg:golang/github.com/argoproj/argo-cd/[email protected]",
             "UID": "6b7f96766b3680e6"
           },
           "InstalledVersion": "v0.26.11",
           "FixedVersion": "2.1.14, 2.2.8, 2.3.2",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-1025",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "Openshift-Gitops: Improper access control allows admin privilege escalation",
           "Description": "All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.",
           "Severity": "HIGH",
           "CweIDs": [
             "CWE-284"
           ],
           "VendorSeverity": {
             "ghsa": 3,
             "nvd": 3,
             "redhat": 3
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               "V3Score": 8.8
             },
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               "V2Score": 9,
               "V3Score": 8.8
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               "V3Score": 8.8
             }
           },
           "References": [
             "https://access.redhat.com/errata/RHSA-2022:1039",
             "https://access.redhat.com/errata/RHSA-2022:1040",
             "https://access.redhat.com/errata/RHSA-2022:1041",
             "https://access.redhat.com/errata/RHSA-2022:1042",
             "https://access.redhat.com/security/cve/CVE-2022-1025",
             "https://bugzilla.redhat.com/show_bug.cgi?id=2064682",
             "https://github.com/argoproj/argo-cd",
             "https://github.com/argoproj/argo-cd/commit/af03b291d4b7e9d3ce9a6580ae9c8141af0e05cf",
             "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww",
             "https://nvd.nist.gov/vuln/detail/CVE-2022-1025",
             "https://www.cve.org/CVERecord?id=CVE-2022-1025"
           ],
           "PublishedDate": "2022-07-12T21:15:09.277Z",
           "LastModifiedDate": "2023-11-07T03:41:42.847Z"
         },
         {
           "VulnerabilityID": "CVE-2022-24348",
           "PkgName": "github.com/argoproj/argo-cd/v2",
           "PkgIdentifier": {
             "PURL": "pkg:golang/github.com/argoproj/argo-cd/[email protected]",
             "UID": "6b7f96766b3680e6"
           },
           "InstalledVersion": "v0.26.11",
           "FixedVersion": "2.1.9, 2.2.4",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24348",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "gitops: Path traversal and dereference of symlinks when passing Helm value files",
           "Description": "Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.",
           "Severity": "HIGH",
           "CweIDs": [
             "CWE-22"
           ],
           "VendorSeverity": {
             "ghsa": 3,
             "nvd": 3,
             "redhat": 3
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
               "V3Score": 7.7
             },
             "nvd": {
               "V2Vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
               "V2Score": 4,
               "V3Score": 7.7
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
               "V3Score": 7.7
             }
           },
           "References": [
             "https://access.redhat.com/security/cve/CVE-2022-24348",
             "https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments",
             "https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/",
             "https://github.com/argoproj/argo-cd",
             "https://github.com/argoproj/argo-cd/commit/78c2084f0febd159039ff785ddc2bd4ba1cecf88",
             "https://github.com/argoproj/argo-cd/releases/tag/v2.1.9",
             "https://github.com/argoproj/argo-cd/releases/tag/v2.2.4",
             "https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7",
             "https://nvd.nist.gov/vuln/detail/CVE-2022-24348",
             "https://www.cve.org/CVERecord?id=CVE-2022-24348"
           ],
           "PublishedDate": "2022-02-04T21:15:08.103Z",
           "LastModifiedDate": "2022-02-09T13:53:54.777Z"
         },
         {
           "VulnerabilityID": "CVE-2022-31034",
           "PkgName": "github.com/argoproj/argo-cd/v2",
           "PkgIdentifier": {
             "PURL": "pkg:golang/github.com/argoproj/argo-cd/[email protected]",
             "UID": "6b7f96766b3680e6"
           },
           "InstalledVersion": "v0.26.11",
           "FixedVersion": "2.1.16, 2.2.10, 2.3.5, 2.4.1",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31034",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.",
           "Description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability.",
           "Severity": "HIGH",
           "CweIDs": [
             "CWE-331",
             "CWE-335",
             "CWE-330"
           ],
           "VendorSeverity": {
             "ghsa": 3,
             "nvd": 3,
             "redhat": 3
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
               "V3Score": 8.3
             },
             "nvd": {
               "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
               "V2Score": 6.8,
               "V3Score": 8.1
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
               "V3Score": 8.1
             }
           },
           "References": [
             "https://access.redhat.com/security/cve/CVE-2022-31034",
             "https://github.com/argoproj/argo-cd",
             "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0",
             "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
             "https://nvd.nist.gov/vuln/detail/CVE-2022-31034",
             "https://www.cve.org/CVERecord?id=CVE-2022-31034"
           ],
           "PublishedDate": "2022-06-27T19:15:08.393Z",
           "LastModifiedDate": "2023-07-21T17:09:01.26Z"
         },
         {
           "VulnerabilityID": "CVE-2024-22424",
           "PkgName": "github.com/argoproj/argo-cd/v2",
           "PkgIdentifier": {
             "PURL": "pkg:golang/github.com/argoproj/argo-cd/[email protected]",
             "UID": "6b7f96766b3680e6"
           },
           "InstalledVersion": "v0.26.11",
           "FixedVersion": "2.7.16, 2.8.8, 2.9.4, 2.10-rc2",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-22424",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "argo-cd: vulnerable to a cross-server request forgery (CSRF) attack",
           "Description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page which contains code to call Argo CD API endpoints on the victim’s behalf. For example, an attacker could send an Argo CD user a link to a page which looks harmless but in the background calls an Argo CD API endpoint to create an application running malicious code. Argo CD uses the “Lax” SameSite cookie policy to prevent CSRF attacks where the attacker controls an external domain. The malicious external website can attempt to call the Argo CD API, but the web browser will refuse to send the Argo CD auth token with the request. Many companies host Argo CD on an internal subdomain. If an attacker can place malicious code on, for example, https://test.internal.example.com/, they can still perform a CSRF attack. In this case, the “Lax” SameSite cookie does not prevent the browser from sending the auth cookie, because the destination is a parent domain of the Argo CD API. Browsers generally block such attacks by applying CORS policies to sensitive requests with sensitive content types. Specifically, browsers will send a “preflight request” for POSTs with content type “application/json” asking the destination API “are you allowed to accept requests from my domain?” If the destination API does not answer “yes,” the browser will block the request. Before the patched versions, Argo CD did not validate that requests contained the correct content type header. So an attacker could bypass the browser’s CORS check by setting the content type to something which is considered “not sensitive” such as “text/plain.” The browser wouldn’t send the preflight request, and Argo CD would happily accept the contents (which are actually still JSON) and perform the requested action (such as running malicious code). A patch for this vulnerability has been released in the following Argo CD versions: 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15. The patch contains a breaking API change. The Argo CD API will no longer accept non-GET requests which do not specify application/json as their Content-Type. The accepted content types list is configurable, and it is possible (but discouraged) to disable the content type check completely. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
           "Severity": "HIGH",
           "CweIDs": [
             "CWE-352"
           ],
           "VendorSeverity": {
             "ghsa": 3,
             "nvd": 3,
             "redhat": 2
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
               "V3Score": 8.3
             },
             "nvd": {
               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
               "V3Score": 8.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
               "V3Score": 8.3
             }
           },
           "References": [
             "https://access.redhat.com/security/cve/CVE-2024-22424",
             "https://github.com/argoproj/argo-cd",
             "https://github.com/argoproj/argo-cd/commit/0b459f224b3186707809be8240dfc3a6028f42a0",
             "https://github.com/argoproj/argo-cd/commit/13fe3ca589f6f2ded6001ce114e354602ed058b3",
             "https://github.com/argoproj/argo-cd/commit/3c5878ecf41581942281e9c95745f073bdfbf9c3",
             "https://github.com/argoproj/argo-cd/commit/f569aa105e0fe5940bc736c68e2fc90ee4a6ed94",
             "https://github.com/argoproj/argo-cd/issues/2496",
             "https://github.com/argoproj/argo-cd/pull/16860",
             "https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg",
             "https://nvd.nist.gov/vuln/detail/CVE-2024-22424",
             "https://www.cve.org/CVERecord?id=CVE-2024-22424"
           ],
           "PublishedDate": "2024-01-19T01:15:09.317Z",
           "LastModifiedDate": "2024-01-31T19:51:26.407Z"
         },
         {
           "VulnerabilityID": "GHSA-9763-4f94-gfch",
           "PkgName": "github.com/cloudflare/circl",
           "PkgIdentifier": {
             "PURL": "pkg:golang/github.com/cloudflare/[email protected]",
             "UID": "db8c6b7662dc99fb"
           },
           "InstalledVersion": "v1.3.3",
           "FixedVersion": "1.3.7",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://github.com/advisories/GHSA-9763-4f94-gfch",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "CIRCL's Kyber: timing side-channel (kyberslash2)",
           "Description": "### Impact\nOn some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key.\n\nDoes not apply to ephemeral usage, such as when used in the regular way in TLS.\n\n### Patches\nPatched in 1.3.7.\n\n### References\n- [kyberslash.cr.yp.to](https://kyberslash.cr.yp.to/)",
           "Severity": "HIGH",
           "VendorSeverity": {
             "ghsa": 3
           },
           "References": [
             "https://github.com/cloudflare/circl",
             "https://github.com/cloudflare/circl/commit/75ef91e8a2f438e6ce2b6e620d236add8be1887d",
             "https://github.com/cloudflare/circl/security/advisories/GHSA-9763-4f94-gfch",
             "https://kyberslash.cr.yp.to"
           ]
         },
         {
           "VulnerabilityID": "CVE-2023-47108",
           "PkgName": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
           "PkgIdentifier": {
             "PURL": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]",
             "UID": "994268e638c40ed1"
           },
           "InstalledVersion": "v0.42.0",
           "FixedVersion": "0.46.0",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:d3895b6c598fb3bdf085594fe75d4868906081f71fb074f93e4e00a609dda9de",
             "DiffID": "sha256:9c5f8fd0394f35df3b6adbec548e4405c9f346fd398853a729d48ffe1adfb162"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-47108",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory Go",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
           },
           "Title": "opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics",
           "Description": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.",
           "Severity": "HIGH",
           "CweIDs": [
             "CWE-770"
           ],
           "VendorSeverity": {
             "amazon": 3,
             "cbl-mariner": 3,
             "ghsa": 3,
             "nvd": 3,
             "redhat": 2
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               "V3Score": 7.5
             },
             "nvd": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               "V3Score": 7.5
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               "V3Score": 7.5
             }
           },
           "References": [
             "https://access.redhat.com/security/cve/CVE-2023-47108",
             "https://github.com/open-telemetry/opentelemetry-go-contrib",
             "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327",
             "https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/google.golang.org/grpc/otelgrpc/v0.45.0/instrumentation/google.golang.org/grpc/otelgrpc/config.go#L138",
             "https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b",
             "https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4322",
             "https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw",
             "https://nvd.nist.gov/vuln/detail/CVE-2023-47108",
             "https://pkg.go.dev/go.opentelemetry.io/otel/metric/noop#NewMeterProvider",
             "https://www.cve.org/CVERecord?id=CVE-2023-47108"
           ],
           "PublishedDate": "2023-11-10T19:15:16.41Z",
           "LastModifiedDate": "2023-11-20T19:34:26.493Z"
         }
       ]
     },
     {
       "Target": "usr/local/bin/helm",
       "Class": "lang-pkgs",
       "Type": "gobinary",
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2023-45288",
           "PkgName": "stdlib",
           "PkgIdentifier": {
             "PURL": "pkg:golang/[email protected]",
             "UID": "3cc0ba4e95f38ad3"
           },
           "InstalledVersion": "1.21.7",
           "FixedVersion": "1.21.9, 1.22.2",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:c3bdabede85fb7d55f36f7c9055580e1580b9ae03f0487ddb1f64826698af12d",
             "DiffID": "sha256:48d4f43783d7ae96886c2220f39e5ee95598b450027b9a9efc82d378e44d270b"
           },
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45288",
           "DataSource": {
             "ID": "govulndb",
             "Name": "The Go Vulnerability Database",
             "URL": "https://pkg.go.dev/vuln/"
           },
           "Title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS",
           "Description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
           "Severity": "HIGH",
           "VendorSeverity": {
             "alma": 3,
             "cbl-mariner": 3,
             "ghsa": 2,
             "oracle-oval": 3,
             "photon": 3,
             "redhat": 3
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
               "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               "V3Score": 7.5
             }
           },
           "References": [
             "http://www.openwall.com/lists/oss-security/2024/04/03/16",
             "http://www.openwall.com/lists/oss-security/2024/04/05/4",
             "https://access.redhat.com/errata/RHSA-2024:2724",
             "https://access.redhat.com/security/cve/CVE-2023-45288",
             "https://bugzilla.redhat.com/2268017",
             "https://bugzilla.redhat.com/2268018",
             "https://bugzilla.redhat.com/2268019",
             "https://bugzilla.redhat.com/2268273",
             "https://errata.almalinux.org/9/ALSA-2024-2724.html",
             "https://go.dev/cl/576155",
             "https://go.dev/issue/65051",
             "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M",
             "https://linux.oracle.com/cve/CVE-2023-45288.html",
             "https://linux.oracle.com/errata/ELSA-2024-2724.html",
             "https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT",
             "https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/",
             "https://nowotarski.info/http2-continuation-flood-technical-details",
             "https://nowotarski.info/http2-continuation-flood/",
             "https://nvd.nist.gov/vuln/detail/CVE-2023-45288",
             "https://pkg.go.dev/vuln/GO-2024-2687",
             "https://security.netapp.com/advisory/ntap-20240419-0009",
             "https://security.netapp.com/advisory/ntap-20240419-0009/",
             "https://www.cve.org/CVERecord?id=CVE-2023-45288",
             "https://www.kb.cert.org/vuls/id/421644"
           ],
           "PublishedDate": "2024-04-04T21:15:16.113Z",
           "LastModifiedDate": "2024-05-01T18:15:10.493Z"
         }
       ]
     },
     {
       "Target": "usr/local/bin/kustomize",
       "Class": "lang-pkgs",
       "Type": "gobinary",
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2023-45283",
           "PkgName": "stdlib",
           "PkgIdentifier": {
             "PURL": "pkg:golang/[email protected]",
             "UID": "e08b8636b6aee5cc"
           },
           "InstalledVersion": "1.20.10",
           "FixedVersion": "1.20.11, 1.21.4, 1.20.12, 1.21.5",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:4758150adff7465a68e26c0bdb93daddd2b1dbd0e3ba44da204be7b156201d53",
             "DiffID": "sha256:9b1a8b94e1f713d59c9d8d228480d91430c1d39f34e0f574910f4a3f678510da"
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45283",
           "DataSource": {
             "ID": "govulndb",
             "Name": "The Go Vulnerability Database",
             "URL": "https://pkg.go.dev/vuln/"
           },
           "Title": "The filepath package does not recognize paths with a \\??\\ prefix as sp ...",
           "Description": "The filepath package does not recognize paths with a \\??\\ prefix as special. On Windows, a path beginning with \\??\\ is a Root Local Device path equivalent to a path beginning with \\\\?\\. Paths with a \\??\\ prefix may be used to access arbitrary locations on the system. For example, the path \\??\\c:\\x is equivalent to the more common path c:\\x. Before fix, Clean could convert a rooted path such as \\a\\..\\??\\b into the root local device path \\??\\b. Clean will now convert this to .\\??\\b. Similarly, Join(\\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \\??\\b. Join will now convert this to \\.\\??\\b. In addition, with fix, IsAbs now correctly reports paths beginning with \\??\\ as absolute, and VolumeName correctly reports the \\??\\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?, resulting in filepath.Clean(\\?\\c:) returning \\?\\c: rather than \\?\\c:\\ (among other effects). The previous behavior has been restored.",
           "Severity": "HIGH",
           "CweIDs": [
             "CWE-22"
           ],
           "VendorSeverity": {
             "amazon": 2,
             "bitnami": 3,
             "cbl-mariner": 3,
             "nvd": 3,
             "photon": 3
           },
           "CVSS": {
             "bitnami": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
               "V3Score": 7.5
             },
             "nvd": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
               "V3Score": 7.5
             }
           },
           "References": [
             "http://www.openwall.com/lists/oss-security/2023/12/05/2",
             "https://go.dev/cl/540277",
             "https://go.dev/cl/541175",
             "https://go.dev/issue/63713",
             "https://go.dev/issue/64028",
             "https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY",
             "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ",
             "https://nvd.nist.gov/vuln/detail/CVE-2023-45283",
             "https://pkg.go.dev/vuln/GO-2023-2185",
             "https://security.netapp.com/advisory/ntap-20231214-0008/"
           ],
           "PublishedDate": "2023-11-09T17:15:08.757Z",
           "LastModifiedDate": "2023-12-14T10:15:07.947Z"
         },
         {
           "VulnerabilityID": "CVE-2023-45288",
           "PkgName": "stdlib",
           "PkgIdentifier": {
             "PURL": "pkg:golang/[email protected]",
             "UID": "e08b8636b6aee5cc"
           },
           "InstalledVersion": "1.20.10",
           "FixedVersion": "1.21.9, 1.22.2",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:4758150adff7465a68e26c0bdb93daddd2b1dbd0e3ba44da204be7b156201d53",
             "DiffID": "sha256:9b1a8b94e1f713d59c9d8d228480d91430c1d39f34e0f574910f4a3f678510da"
           },
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-45288",
           "DataSource": {
             "ID": "govulndb",
             "Name": "The Go Vulnerability Database",
             "URL": "https://pkg.go.dev/vuln/"
           },
           "Title": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS",
           "Description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.",
           "Severity": "HIGH",
           "VendorSeverity": {
             "alma": 3,
             "cbl-mariner": 3,
             "ghsa": 2,
             "oracle-oval": 3,
             "photon": 3,
             "redhat": 3
           },
           "CVSS": {
             "ghsa": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
               "V3Score": 5.3
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               "V3Score": 7.5
             }
           },
           "References": [
             "http://www.openwall.com/lists/oss-security/2024/04/03/16",
             "http://www.openwall.com/lists/oss-security/2024/04/05/4",
             "https://access.redhat.com/errata/RHSA-2024:2724",
             "https://access.redhat.com/security/cve/CVE-2023-45288",
             "https://bugzilla.redhat.com/2268017",
             "https://bugzilla.redhat.com/2268018",
             "https://bugzilla.redhat.com/2268019",
             "https://bugzilla.redhat.com/2268273",
             "https://errata.almalinux.org/9/ALSA-2024-2724.html",
             "https://go.dev/cl/576155",
             "https://go.dev/issue/65051",
             "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M",
             "https://linux.oracle.com/cve/CVE-2023-45288.html",
             "https://linux.oracle.com/errata/ELSA-2024-2724.html",
             "https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT",
             "https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/",
             "https://nowotarski.info/http2-continuation-flood-technical-details",
             "https://nowotarski.info/http2-continuation-flood/",
             "https://nvd.nist.gov/vuln/detail/CVE-2023-45288",
             "https://pkg.go.dev/vuln/GO-2024-2687",
             "https://security.netapp.com/advisory/ntap-20240419-0009",
             "https://security.netapp.com/advisory/ntap-20240419-0009/",
             "https://www.cve.org/CVERecord?id=CVE-2023-45288",
             "https://www.kb.cert.org/vuls/id/421644"
           ],
           "PublishedDate": "2024-04-04T21:15:16.113Z",
           "LastModifiedDate": "2024-05-01T18:15:10.493Z"
         }
       ]
     }
   ]
 }

Operating System

ubuntu 22.04

Version

$ trivy --version
Version: 0.51.1

Checklist

Run trivy image --reset
Read the troubleshooting

knqyf263 · 2024-05-15T08:50:42Z

knqyf263
May 15, 2024
Maintainer

@DmitriyLewen Can you please take a look?

0 replies

DmitriyLewen · 2024-05-16T05:38:17Z

DmitriyLewen
May 16, 2024
Maintainer

Hello @FlorisFeddema

I discovered the reason for this behavior.
I created #6702 and am working on a solution.

Regards, Dmitriy

3 replies

FlorisFeddema May 16, 2024
Author

Thank you for the help with this issue! 🥇

While this would probably fix the issue with old cve's found in the argocd image. If I understand correctly it would not explain why different runs with the same trivy images, trivydb and argocd image result in different cve's found.
Do you have any idea why this happens?

DmitriyLewen May 16, 2024
Maintainer

We detect version of usr/local/bin/argocd using ldflags.
argocd has the following ldflags:

-X github.com/argoproj/argo-cd/v2/common.version=2.11.0 
 -X github.com/argoproj/argo-cd/v2/common.kubectlVersion=v0.26.11
...

Because we save all flags in map we will check keys in random order.
In one case we will take 2.11.0 version. In another case we can take v0.26.11.

I created #6705 to exclude *.<any_prefix>Version ldflugs.

FlorisFeddema May 16, 2024
Author

Ah that explains the behavior, thanks for the explanation!

Hope the issue will be fixed soon 😄

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Gobinary scan gives inconsistent results on image #6669

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Gobinary scan gives inconsistent results on image #6669

FlorisFeddema May 10, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 3 replies

knqyf263 May 15, 2024 Maintainer

DmitriyLewen May 16, 2024 Maintainer

FlorisFeddema May 16, 2024 Author

DmitriyLewen May 16, 2024 Maintainer

FlorisFeddema May 16, 2024 Author

FlorisFeddema
May 10, 2024

Replies: 2 comments 3 replies

knqyf263
May 15, 2024
Maintainer

DmitriyLewen
May 16, 2024
Maintainer

FlorisFeddema May 16, 2024
Author

DmitriyLewen May 16, 2024
Maintainer

FlorisFeddema May 16, 2024
Author