Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positives being reported from Trivy 0.24.2 - oraclelinux:8 image #1967

Closed
istaveren opened this issue Apr 8, 2022 · 11 comments · Fixed by #7858
Closed

False Positives being reported from Trivy 0.24.2 - oraclelinux:8 image #1967

istaveren opened this issue Apr 8, 2022 · 11 comments · Fixed by #7858
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor.
Milestone
v0.58.0

Comments

@istaveren
Copy link

Description

When you scan an oraclelinux:8 image

What did you expect to happen?

There should not be any issue

It thinks I need 10:1.8.5-6.el8_fips -> https://linux.oracle.com/errata/ELSA-2022-9263.html
Where https://github.com/aquasecurity/vuln-list/blob/main/oval/oracle/2021/ELSA-2021-4409.json looks ok.

Related to #issue 736

What happened instead?

I got vulnerabilities

$ trivy i oraclelinux:8
2022-04-08T14:47:57.903Z	INFO	Detected OS: oracle
2022-04-08T14:47:57.903Z	INFO	Detecting Oracle Linux vulnerabilities...
2022-04-08T14:47:57.910Z	INFO	Number of language-specific files: 0

oraclelinux:8 (oracle 8.5)
==========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |      FIXED VERSION       |                 TITLE                 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| gnutls    | CVE-2021-20231   | MEDIUM   | 3.6.16-4.el8      | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in             |
|           |                  |          |                   |                          | client key_share extension            |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20231 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-20232   |          |                   |                          | gnutls: Use after free                |
|           |                  |          |                   |                          | in client_send_params in              |
|           |                  |          |                   |                          | lib/ext/pre_shared_key.c              |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20232 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-3580    |          |                   |                          | nettle: Remote crash                  |
|           |                  |          |                   |                          | in RSA decryption via                 |
|           |                  |          |                   |                          | manipulated ciphertext                |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-3580  |
+-----------+------------------+          +-------------------+--------------------------+---------------------------------------+
| libgcrypt | CVE-2021-33560   |          | 1.8.5-6.el8       | 10:1.8.5-6.el8_fips      | libgcrypt: mishandles ElGamal         |
|           |                  |          |                   |                          | encryption because it lacks           |
|           |                  |          |                   |                          | exponent blinding to address a...     |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+

Output of run with -debug:

$ trivy --debug i oraclelinux:8        
2022-04-08T14:48:41.466Z	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-08T14:48:41.468Z	DEBUG	cache dir:  /home/scanner/.cache/trivy
2022-04-08T14:48:41.468Z	DEBUG	DB update was skipped because the local DB is the latest
2022-04-08T14:48:41.469Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-04-08 12:06:46.349271271 +0000 UTC, NextUpdate: 2022-04-08 18:06:46.349271071 +0000 UTC, DownloadedAt: 2022-04-08 13:50:49.650469224 +0000 UTC
2022-04-08T14:48:41.469Z	DEBUG	Vulnerability type:  [os library]
2022-04-08T14:48:44.980Z	DEBUG	Image ID: sha256:e6ca9618a97becacf7688f253c089da43cd8b041f9084b850746567b5553148e
2022-04-08T14:48:44.980Z	DEBUG	Diff IDs: [sha256:ca93c0cdf7fc9a33979ba26402ef52dafa075236d2c69adacf11e935bdcd2fa5]
2022-04-08T14:48:44.985Z	INFO	Detected OS: oracle
2022-04-08T14:48:44.986Z	INFO	Detecting Oracle Linux vulnerabilities...
2022-04-08T14:48:44.986Z	DEBUG	Oracle Linux: os version: 8
2022-04-08T14:48:44.986Z	DEBUG	Oracle Linux: the number of packages: 182
2022-04-08T14:48:44.991Z	INFO	Number of language-specific files: 0

oraclelinux:8 (oracle 8.5)
==========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |      FIXED VERSION       |                 TITLE                 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| gnutls    | CVE-2021-20231   | MEDIUM   | 3.6.16-4.el8      | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in             |
|           |                  |          |                   |                          | client key_share extension            |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20231 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-20232   |          |                   |                          | gnutls: Use after free                |
|           |                  |          |                   |                          | in client_send_params in              |
|           |                  |          |                   |                          | lib/ext/pre_shared_key.c              |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-20232 |
+           +------------------+          +                   +                          +---------------------------------------+
|           | CVE-2021-3580    |          |                   |                          | nettle: Remote crash                  |
|           |                  |          |                   |                          | in RSA decryption via                 |
|           |                  |          |                   |                          | manipulated ciphertext                |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-3580  |
+-----------+------------------+          +-------------------+--------------------------+---------------------------------------+
| libgcrypt | CVE-2021-33560   |          | 1.8.5-6.el8       | 10:1.8.5-6.el8_fips      | libgcrypt: mishandles ElGamal         |
|           |                  |          |                   |                          | encryption because it lacks           |
|           |                  |          |                   |                          | exponent blinding to address a...     |
|           |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+

Output of trivy -v:

$ trivy -v i oraclelinux:8 
Version: 0.24.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-04-08 12:06:46.349271271 +0000 UTC
  NextUpdate: 2022-04-08 18:06:46.349271071 +0000 UTC
  DownloadedAt: 2022-04-08 13:50:49.650469224 +0000 UTC

Additional details (base image name, container registry info...):
@istaveren istaveren added the kind/bug Categorizes issue or PR as related to a bug. label Apr 8, 2022
@tvierling
Copy link

(Disclaimer: I'm in the Oracle Linux support/development group.)

Basically this is similar to issue #736.

Oracle Linux ships with up to three flavors of system packages for different purposes:

  • normal
  • Ksplice Userspace
  • FIPS-validated

The user determines which flavor is installed based on their system requirements, but Oracle issues advisories (ELSAs) and related OpenSCAP (OVAL) data for all three flavors. So scanning all available ELSAs will result in false positives if the ELSA is for a different flavor than the one installed.

Basically, scans should do a heuristic to determine whether to apply an ELSA to the system, with the following logic:

  1. If the ELSA package version string contains _fips, only scan against this ELSA if the installed package(s) include _fips in the version string.
  2. If the ELSA package version string contains .ksplice, only scan against this ELSA if the installed package(s) include .ksplice in the version string.
  3. Otherwise, scan as normal.

Note that these apply to the version string component of the package and not the package name, but inclusion of the leading _ and . in cases 1 and 2 respectively should ensure that this is done correctly.

This logic should be applied to both OL7 and OL8. Whether this should be a rule added to each ELSA scan or at some higher level I don't know, that depends on how Trivy is structured.

If this needs to be at a per-DB-entry level, you can limit the special-case logic to only the packages covered by that special case:

  • Ksplice Userspace (.ksplice) : only glibc, openssl, and their resultant subpackages.
  • FIPS-validated (_fips): packages which ship in the Security Validation repos for OL7 and OL8 (linked here)

@tvierling
Copy link

FWIW please feel free to email me at my work email address ([email protected]) if any clarification is needed on the above, we're happy to help Trivy developers on any Oracle Linux related issue.

@gilbode gilbode mentioned this issue Apr 12, 2022
Closed
4 tasks
This was referenced Jun 3, 2022
Closed
Closed
@github-actions
Copy link

github-actions bot commented Jun 8, 2022

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jun 8, 2022
@bpfoster
Copy link
Contributor

bpfoster commented Jun 8, 2022

Unstale

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jun 9, 2022
@bpfoster bpfoster mentioned this issue Jun 9, 2022
Merged
@sys-ops
Copy link

sys-ops commented Jul 13, 2022

istaveren, my temporary workaround for this issue is:

FROM oraclelinux:8

RUN set -ex && \
    microdnf update && \
    microdnf install dnf && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/gnutls-3.6.16-4.0.1.el8_fips.x86_64.rpm && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/libgcrypt-1.8.5-7.el8_6_fips.x86_64.rpm && \
    microdnf clean all && \
    rm -rf /tmp/* /var/cache/dnf/* /var/cache/yum/* /var/lib/dnf/* /var/lib/rpm/*

@tvierling tvierling mentioned this issue Aug 31, 2022
Open
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Sep 13, 2022
@bpfoster
Copy link
Contributor

Unstale

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Sep 14, 2022
@tvierling tvierling mentioned this issue Dec 23, 2022
Closed
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label May 18, 2023
@knqyf263 knqyf263 added lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. labels May 18, 2023
@amardeep2006
Copy link

istaveren, my temporary workaround for this issue is:

FROM oraclelinux:8

RUN set -ex && \
    microdnf update && \
    microdnf install dnf && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/gnutls-3.6.16-4.0.1.el8_fips.x86_64.rpm && \
    dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/libgcrypt-1.8.5-7.el8_6_fips.x86_64.rpm && \
    microdnf clean all && \
    rm -rf /tmp/* /var/cache/dnf/* /var/cache/yum/* /var/lib/dnf/* /var/lib/rpm/*

Thanks , this was helpful. It was easy to apply patch than convincing security guys that it is false positive .

@MiahaCybersec MiahaCybersec mentioned this issue May 11, 2024
Closed
@SaptarshiSarkar12 SaptarshiSarkar12 mentioned this issue Sep 5, 2024
Closed
@SaptarshiSarkar12
Copy link

SaptarshiSarkar12 commented Sep 6, 2024
edited
Loading

In my Open-Source project Drifty, two docker images are published namely drifty-cli and drifty-gui with their base runtime images being oraclelinux:9-slim. I use Trivy to check for vulnerabilities and recently, I started using Copa and it could fix only some vulnerable packages except the FIPS ones.
Currently, Trivy reports gnutls and nss packages to be vulnerable in oraclelinux:9-slim docker image but docker scout did not report such vulnerability. Is the report false positive? Please let me know.
Some reference CVE links provided by Trivy:

@SaptarshiSarkar12
Copy link

@knqyf263 May I know the progress of this issue? This terrible bug is causing problem to manually mark them false positive.

@knqyf263 knqyf263 added this to the v0.57.0 milestone Oct 7, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Oct 22, 2024
Closed
@DmitriyLewen DmitriyLewen modified the milestones: v0.57.0, v0.58.0 Oct 29, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Nov 2, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor.
Projects
Trivy Roadmap
Status: No status
Milestone
v0.58.0
8 participants
@istaveren @bpfoster @tvierling @knqyf263 @sys-ops @amardeep2006 @DmitriyLewen @SaptarshiSarkar12