Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RLSA-2023:1141 not detected with container os scan #4634

Closed
2 tasks done
afdesk opened this issue Jun 14, 2023 Discussed in #4626 · 3 comments · Fixed by #4691
Closed
2 tasks done

RLSA-2023:1141 not detected with container os scan #4634

afdesk opened this issue Jun 14, 2023 Discussed in #4626 · 3 comments · Fixed by #4691
Assignees
@DmitriyLewen
Labels
scan/vulnerability Issues relating to vulnerability scanning
Milestone
v0.43.1

Comments

@afdesk
Copy link
Contributor

afdesk commented Jun 14, 2023
edited
Loading

At first attempt it looks like a problem, because Trivt-DB doesn't have information about RLSA-2023:1141, but aquasecurity/vuln-list contains RLSA-2023:1141.json.

note: RLSA-2023:1141 is defined only for aarch64 packages: https://errata.rockylinux.org/RLSA-2023:1141

Discussed in #4626

Originally posted by joe-cheuk June 14, 2023

IDs

RLSA-2023:1141, CVE-2023-0361

Description

We tried to scan one of our container images and realized one of the CVE is not getting reported.

Reproduction Steps

1/
A normal OS scan is triggered:
> trivy image --scanners vuln --vuln-type os --format json <IMAGE> --output ~/Downloads/vout.json

2/
The following commands didn't output anything
- cat ~/Downloads/vout.json | grep CVE-2023-0361
- cat ~/Downloads/vout.json | grep RLSA-2023:1141

3/ Retriggering OS scan and listing all the packages on the same image:
> trivy image --scanners vuln --vuln-type os --format json <IMAGE> --output ~/Downloads/vout.json --list-all-pkgs

4/ Find gnutls library in the output and we can see that version `[email protected]_0.x86_64` is installed.

{
          "ID": "[email protected]_0.x86_64",
          "Name": "gnutls",
          "Version": "3.7.6",
          "Release": "12.el9_0",
          "Arch": "x86_64",
          "SrcName": "gnutls",
          "SrcVersion": "3.7.6",
          "SrcRelease": "12.el9_0",
          "Licenses": [
            "GPLv3+ and LGPLv2+"
          ],
          "Maintainer": "Rocky Enterprise Software Foundation",
          "DependsOn": [
            "[email protected]",
            "[email protected]_64",
            "[email protected]_64",
            "[email protected]_64",
            "[email protected]_64",
            "[email protected]_0.x86_64",
            "[email protected]_64",
            "[email protected]_64"
          ],
          "Layer": {
            "Digest": "sha256:5d7e16de9e63c217694b078d1c99f462e513de81f01ab8a3111e378128e83420",
            "DiffID": "sha256:a480c1f046c8ccdd2cb4ec5e4fc8583a4a34a1f40b9176ee294bc4203c9124ce"
          },
          "Digest": "md5:f794d86ae8c2a7857472aa5313cce683"
},


5/ Based on RLSA-2023:1141 / https://errata.rockylinux.org/RLSA-2023:1141
The fixed version is gnutls-0:3.7.6-18.el9_1
The expected behavior of the scanner would be flagging the installed library `[email protected]_0.x86_64` and ask the update to a newer version.

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

trivy image --scanners vuln --vuln-type os --format json <IMAGE> --output ~/Downloads/vout.json --debug
2023-06-13T12:39:29.650-0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-13T12:39:29.663-0700    DEBUG   cache dir:  -
2023-06-13T12:39:29.664-0700    DEBUG   DB update was skipped because the local DB is the latest
2023-06-13T12:39:29.664-0700    DEBUG   DB Schema: 2, UpdatedAt: 2023-06-13 18:07:13.359109398 +0000 UTC, NextUpdate: 2023-06-14 00:07:13.359108998 +0000 UTC, DownloadedAt: 2023-06-13 18:43:10.59834 +0000 UTC
2023-06-13T12:39:29.664-0700    INFO    Vulnerability scanning is enabled
2023-06-13T12:39:29.664-0700    DEBUG   Vulnerability type:  [os]
2023-06-13T12:39:31.058-0700    DEBUG   Image ID: -
2023-06-13T12:39:31.058-0700    DEBUG   Diff IDs: [-]
2023-06-13T12:39:31.058-0700    DEBUG   Base Layers: [-]
2023-06-13T12:39:31.064-0700    INFO    Detected OS: rocky
2023-06-13T12:39:31.064-0700    INFO    Detecting Rocky Linux vulnerabilities...
2023-06-13T12:39:31.064-0700    DEBUG   Rocky Linux: os version: 9
2023-06-13T12:39:31.064-0700    DEBUG   Rocky Linux: the number of packages: 141

Version

trivy --version

Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-13 18:07:13.359109398 +0000 UTC
  NextUpdate: 2023-06-14 00:07:13.359108998 +0000 UTC
  DownloadedAt: 2023-06-13 18:43:10.59834 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-06-12 00:58:09.155334694 +0000 UTC
  NextUpdate: 2023-06-15 00:58:09.155334094 +0000 UTC
  DownloadedAt: 2023-06-12 23:58:47.500035 +0000 UTC

Checklist
@afdesk
Copy link
Contributor Author

afdesk commented Jun 14, 2023

@nikpivkin could you confirm it on your M1? )

@knqyf263 knqyf263 added the scan/vulnerability Issues relating to vulnerability scanning label Jun 14, 2023
@DmitriyLewen
Copy link
Contributor

Fixing this bug requires making changes to Trivy-db. We are investigating this matter.

@DmitriyLewen
Copy link
Contributor

Hello @joe-cheuk !
We are working on updating Trivy-db.

But for your case - you are using x86_64 architecture. But affected packages are package for aarch64 architecture.
You package doesn't contain vulnerability.

This was referenced Jun 21, 2023
Merged
Merged
@knqyf263 knqyf263 modified the milestones: v0.44.0, v0.43.1 Jun 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
scan/vulnerability Issues relating to vulnerability scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.43.1
Development

Successfully merging a pull request may close this issue.

fix(rocky): add architectures support for advisories DmitriyLewen/trivy
3 participants
@knqyf263 @afdesk @DmitriyLewen