trivy did not detect java libs

[tuananh]

Description

trivy fails to detect java libs.

trivy image ghcr.io/tuananh/keycloak:21@sha256:d25133c58c4f61d7b190c583aa28127a695467b93a0aad5e03e3dbf1c1e0df39

grype can detect it

What did you expect to happen?

multiple java libs with cve detected.

What happened instead?

no cve got detected

Output of run with -debug:

[anh@nzxt-h1 ~]$ trivy image ghcr.io/tuananh/keycloak:21@sha256:d25133c58c4f61d7b190c583aa28127a695467b93a0aad5e03e3dbf1c1e0df39 --debug
2023-04-12T23:21:51.946+0700	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-12T23:21:51.948+0700	DEBUG	cache dir:  /home/anh/.cache/trivy
2023-04-12T23:21:51.949+0700	DEBUG	DB update was skipped because the local DB is the latest
2023-04-12T23:21:51.949+0700	DEBUG	DB Schema: 2, UpdatedAt: 2023-04-12 12:08:52.979817824 +0000 UTC, NextUpdate: 2023-04-12 18:08:52.979817624 +0000 UTC, DownloadedAt: 2023-04-12 16:16:19.952139687 +0000 UTC
2023-04-12T23:21:51.949+0700	INFO	Vulnerability scanning is enabled
2023-04-12T23:21:51.949+0700	DEBUG	Vulnerability type:  [os library]
2023-04-12T23:21:51.949+0700	INFO	Secret scanning is enabled
2023-04-12T23:21:51.949+0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-12T23:21:51.949+0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-12T23:21:51.950+0700	DEBUG	No secret config detected: trivy-secret.yaml
2023-04-12T23:21:51.950+0700	DEBUG	Image ID: sha256:47923052051e08c9aa075cddeb74e18948c5c3e7147c7af65ce0ea101561e337
2023-04-12T23:21:51.950+0700	DEBUG	Diff IDs: [sha256:eefcfb36bb12f4126ede36920d4ad07d55798e35c2135048e5d13a85dfdff0b6]
2023-04-12T23:21:51.950+0700	DEBUG	Base Layers: []
2023-04-12T23:21:51.950+0700	INFO	Detected OS: wolfi
2023-04-12T23:21:51.950+0700	INFO	Detecting Wolfi vulnerabilities...
2023-04-12T23:21:51.950+0700	DEBUG	wolfi: the number of packages: 18
2023-04-12T23:21:51.950+0700	INFO	Number of language-specific files: 0

ghcr.io/tuananh/keycloak:21@sha256:d25133c58c4f61d7b190c583aa28127a695467b93a0aad5e03e3dbf1c1e0df39 (wolfi 20230201)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Output of trivy -v:

Version: 0.39.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-12 12:08:52.979817824 +0000 UTC
  NextUpdate: 2023-04-12 18:08:52.979817624 +0000 UTC
  DownloadedAt: 2023-04-12 16:16:19.952139687 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-04-11 00:49:16.041763263 +0000 UTC
  NextUpdate: 2023-04-14 00:49:16.041762763 +0000 UTC
  DownloadedAt: 2023-04-11 06:47:30.060282076 +0000 UTC

Additional details (base image name, container registry info...):

https://github.com/tuananh/keycloak

[knqyf263]

@tuananh Do you think which JAR file should be detected? Are you sure those vulnerabilities should be detected? Could you share more detail?
People are likely confused between false positives and true negatives and assume that a false positive is correct., so we first need to check what is the correct result.

[tuananh]

Grype looks correct to me since keycloak uses it. I double check the deps from source eg: snakeyaml 1.33 https://github.com/keycloak/keycloak/blob/main/pom.xml#L121 the jar files are in /usr/share/java/keycloak-21.0.2 folder

…

On Thu, Apr 13, 2023, at 1:02 AM, Teppei Fukuda wrote: @tuananh <https://github.com/tuananh> Do you think which JAR file should be detected? Are you sure those vulnerabilities should be detected? Could you share more detail? People are likely confused between false positives and true negatives and assume that a false positive is correct., so we first need to check what is the correct result. — Reply to this email directly, view it on GitHub <#4046 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEZETX7LW52PS2OES4EKBTXA3U2XANCNFSM6AAAAAAW35E42Y>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[DmitriyLewen]

Hello @tuananh
Thanks for your report!

There jars installed from apk. We skip system files (installed from package managers):

bash-5.2$ cat /lib/apk/db/installed | grep jar
R:jar
R:jarsigner
F:usr/lib/jvm/openjdk-jre/legal/jdk.jartool
R:jrt-fs.jar
R:keycloak-admin-cli-21.0.2.jar
R:keycloak-client-registration-cli-21.0.2.jar
R:bcprov-jdk15on-1.70.jar
R:keycloak-crypto-default-21.0.2.jar
R:keycloak-crypto-fips1402-21.0.2.jar
...

Similar case - #4043 (comment)

Regrads, Dmitriy

[tuananh]

Hi @DmitriyLewen

Is there a flag to "not skip it"? I saw the skip flag in the other issue but I don't want to skip.

UPDATE: my bad, it seems like i need to skip this file ? /lib/apk/db/installed?

[tuananh]

@DmitriyLewen it works but if I do skip /lib/apk/db/installed, does it ignore other system packages?

trivy image --skip-files "/lib/apk/db/installed" ghcr.io/tuananh/keycloak:21@sha256:d25133c58c4f61d7b190c583aa28127a695467b93a0aad5e03e3dbf1c1e0df39
2023-04-18T14:41:06.277+0700	INFO	Need to update DB
2023-04-18T14:41:06.277+0700	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-04-18T14:41:06.277+0700	INFO	Downloading DB...
36.61 MiB / 36.61 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 23.45 MiB p/s 1.8s
2023-04-18T14:41:10.283+0700	INFO	Vulnerability scanning is enabled
2023-04-18T14:41:10.283+0700	INFO	Secret scanning is enabled
2023-04-18T14:41:10.283+0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-18T14:41:10.283+0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-04-18T14:41:11.689+0700	INFO	JAR files found
2023-04-18T14:41:11.703+0700	INFO	Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
2023-04-18T14:41:11.703+0700	INFO	Downloading the Java DB...
421.22 MiB / 421.22 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 16.35 MiB p/s 26s
2023-04-18T14:41:40.035+0700	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-04-18T14:41:40.051+0700	INFO	Analyzing JAR files takes a while...
2023-04-18T14:41:40.123+0700	WARN	No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-04-18T14:41:40.123+0700	WARN	e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-04-18T14:41:40.123+0700	INFO	Detected OS: wolfi
2023-04-18T14:41:40.123+0700	INFO	Detecting Wolfi vulnerabilities...
2023-04-18T14:41:40.123+0700	INFO	Number of language-specific files: 1
2023-04-18T14:41:40.123+0700	INFO	Detecting jar vulnerabilities...

ghcr.io/tuananh/keycloak:21@sha256:d25133c58c4f61d7b190c583aa28127a695467b93a0aad5e03e3dbf1c1e0df39 (wolfi 20230201)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2023-04-18T14:41:40.143+0700	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)

┌───────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                      Library                      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├───────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ com.h2database:h2 (com.h2database.h2-2.1.214.jar) │ CVE-2022-45868 │ HIGH     │ 2.1.214           │               │ The web-based admin console in H2 Database Engine through    │
│                                                   │                │          │                   │               │ 2.1.214 can ...                                              │
│                                                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-45868                   │
├───────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ io.vertx:vertx-web (io.vertx.vertx-web-4.3.4.jar) │ CVE-2023-24815 │ MEDIUM   │ 4.3.4             │ 4.3.8         │ StaticHandler disclosure of classpath resources on Windows   │
│                                                   │                │          │                   │               │ when mounted on a wildcard...                                │
│                                                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-24815                   │
├───────────────────────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.keycloak:keycloak-core                        │ CVE-2023-0105  │          │ 21.0.2            │               │ keycloak: impersonation and lockout possible through         │
│ (org.keycloak.keycloak-core-21.0.2.jar)           │                │          │                   │               │ incorrect handling of email trust                            │
│                                                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0105                    │
├───────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (org.yaml.snakeyaml-1.33.jar)  │ CVE-2022-1471  │ CRITICAL │ 1.33              │ 2.0           │ SnakeYaml: Constructor Deserialization Remote Code Execution │
│                                                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-1471                    │
└───────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

I'm seeing this in the logs

WARN	No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages

if that's the case, I will need to scan twice and combine output?

[DmitriyLewen]

Our opinion - if package is installed from the package manager - the OS vendor is responsible for this package and all included files -https://aquasecurity.github.io/trivy/v0.40/docs/vulnerability/detection/data-source/.

if I do skip /lib/apk/db/installed

So this way can contain false positives.

Is there a flag to "not skip it"? I saw the skip flag in the other issue but I don't want to skip.

That is why we don't have option for this.

I will need to scan twice and combine output?

Right. But this is a workaround and you do it at your own risk

[tuananh]

I see. but what happened for those that package the application ourselves into format like deb/apk/etc... for deployment?

[DmitriyLewen]

hm... that is s good question!

@knqyf263 wdyt? We may need to add a flag to be able to exclude some files from system files in order to scan them as language files.

[knqyf263]

@DmitriyLewen Thanks for sorting this out.

@tuananh As Dmitriy explained, we should use security advisories from the OS vendor if the package is distributed by vendor because it could have backport fixes. For example, CVE-2023-0465 has a backport patch in Wolfi, fixed in 3.1.0-r2, while upstream OpenSSL fixed that in 3.1.1. If we use upstream advisories, 3.1.0-r2 looks vulnerable, resulting in a false positive.

https://github.com/wolfi-dev/os/blob/c787a63d32cbd4500ff1a6c76182389f0a2ee7c7/openssl.yaml#L250-L253

This is why we use vendor advisories; otherwise, it brings a lot of false positives. Hence, I think the right approach here is to report the vulnerability to Wolfi's keycloak package.
https://github.com/wolfi-dev/os/blob/c787a63d32cbd4500ff1a6c76182389f0a2ee7c7/keycloak.yaml#L60-L78

But if you don't want to trust Wolfi's advisories and accept false positives and duplications, it may be worth adding such an option as you asked.

I see. but what happened for those that package the application ourselves into format like deb/apk/etc... for deployment?

Trivy checks OS vendors and tries not to skip files installed by 3rd-party packages.

trivy/pkg/fanal/analyzer/pkg/rpm/rpm.go

Lines 47 to 61 in 914c6f0

	var osVendors = []string{
	"Amazon Linux", // Amazon Linux 1
	"Amazon.com", // Amazon Linux 2
	"CentOS", // CentOS
	"Fedora Project", // Fedora
	"Oracle America", // Oracle Linux
	"Red Hat", // Red Hat
	"AlmaLinux", // AlmaLinux
	"CloudLinux", // AlmaLinux
	"VMware", // Photon OS
	"SUSE", // SUSE Linux Enterprise
	"openSUSE", // openSUSE
	"Microsoft Corporation", // CBL-Mariner
	"Rocky", // Rocky Linux
	}

[knqyf263]

How about --third-party-ospkg keycloak? I'm still thinking of a better name. Feedback welcome☺️

[tuananh]

it's not very clear for the purpose of the flag but i couldnt think of a better one

[DmitriyLewen]

Hello @knqyf263 , @tuananh

I created #4109 to add this flag, as we said.
Can you take a look?