False Positives being reported from Trivy 0.12.0 - oraclelinux:7-slim image

[Morgan3709634]

Description

Building Oracle Linux JRE8 image (https://github.com/oracle/docker-images/blob/master/OracleJava/8/Dockerfile). Post build I have scanned this image with AquaSec Trivy0.12.0 and noticed it has multiple vulnerabilities associated to it:

ELSA-2016-3515 | glibc | 2.17-317.0.1.el7 | 2:2.17-106.0.1.ksplice1.el7_2.4
CVE-2016-3075 | glibc | 2.17-317.0.1.el7 | 2:2.17-157.ksplice1.el7
CVE-2017-1000364 | glibc | 2.17-317.0.1.el7 | 2:2.17-157.ksplice1.el7_3.4
ELSA-2017-3601 | glibc | 2.17-317.0.1.el7 | 2:2.17-196.ksplice1.el7
ELSA-2018-4078 | glibc | 2.17-317.0.1.el7 | 2:2.17-222.ksplice1.el7
ELSA-2018-4266 | glibc | 2.17-317.0.1.el7 | 2:2.17-260.0.9.ksplice1.el7
ELSA-2019-4753 | glibc | 2.17-317.0.1.el7 | 2:2.17-292.0.1.ksplice1.el7
ELSA-2016-3515 | glibc-common | 2.17-317.0.1.el7 | 2:2.17-106.0.1.ksplice1.el7_2.4
CVE-2016-3075 | glibc-common | 2.17-317.0.1.el7 | 2:2.17-157.ksplice1.el7
CVE-2017-1000364 | glibc-common | 2.17-317.0.1.el7 | 2:2.17-157.ksplice1.el7_3.4
ELSA-2017-3601 | glibc-common | 2.17-317.0.1.el7 | 2:2.17-196.ksplice1.el7
ELSA-2018-4078 | glibc-common | 2.17-317.0.1.el7 | 2:2.17-222.ksplice1.el7
ELSA-2018-4266 | glibc-common | 2.17-317.0.1.el7 | 2:2.17-260.0.9.ksplice1.el7
ELSA-2019-4753 | glibc-common | 2.17-317.0.1.el7 | 2:2.17-292.0.1.ksplice1.el7
CVE-2016-0799 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.5
CVE-2016-2108 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.5
CVE-2016-2177 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
CVE-2016-2182 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
CVE-2016-2842 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.5
CVE-2016-2105 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.5
CVE-2016-2106 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.5
CVE-2016-2109 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.5
CVE-2016-2179 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
CVE-2016-2180 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
CVE-2016-2181 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
CVE-2016-6302 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
CVE-2016-6304 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
ELSA-2016-3523 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.4
ELSA-2018-4077 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.2k-12.0.1.ksplice1.el7
ELSA-2018-4253 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.2k-12.0.3.ksplice1.el7
ELSA-2018-4267 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.2k-16.0.1.ksplice1.el7
ELSA-2019-4581 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.2k-16.0.1.ksplice1.el7_6.1
CVE-2016-2107 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.5
CVE-2016-2178 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
CVE-2016-6306 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-51.ksplice1.el7_2.7
ELSA-2017-3518 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.1e-60.ksplice1.el7_3.1
ELSA-2019-4754 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.2k-19.0.1.ksplice1.el7

Checking with Oracle:

I'm not even sure why Trivy is reporting any of those issues. They're all false positives. Also note that we do not use Ksplice for User Space inside our container images, so even the suggested fixed version is wrong here......

[knqyf263]

@masahiro331 Could you look into it?

[masahiro331]

@knqyf263 I'll have a look.

[masahiro331]

@Morgan3709634

Also these vulnerabilities fixed in ksplice patch only.

For example, This case.

ELSA-2019-4754 | openssl-libs | 1:1.0.2k-19.0.1.el7 | 2:1.0.2k-19.0.1.ksplice1.el7 

This is the oracle security advisory.
see: https://linux.oracle.com/security/oval/
https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2

<definition id="oval:com.oracle.elsa:def:20194754" version="501" class="patch">
<metadata>
<title>
ELSA-2019-4754:  openssl security update (MODERATE)
</title>
<affected family="unix">
<platform>Oracle Linux 7</platform>

</affected>
<reference source="elsa" ref_id="ELSA-2019-4754" ref_url="https://linux.oracle.com/errata/ELSA-2019-4754.html"/>

<description>
[1.0.2k-19.0.1]
- Bump release for rebuild.

[1.0.2k-19]
- close the RSA decryption 9 lives of Bleichenbacher cat
  timing side channel (#1649568)

[1.0.2k-18]
- fix CVE-2018-0734 - DSA signature local timing side channel
- fix CVE-2019-1559 - 0-byte record padding oracle
- close the RSA decryption One &amp; done EM side channel (#1619558)

[1.0.2k-17]
- use SHA-256 in FIPS RSA pairwise key check
- fix CVE-2018-5407 (and CVE-2018-0735) - EC signature local
  timing side-channel key extraction
</description>
<!--
 ~~~~~~~~~~~~~~~~~~~~   advisory details   ~~~~~~~~~~~~~~~~~~~
-->
<advisory>
<severity>MODERATE</severity>
<rights>Copyright 2019 Oracle, Inc.</rights>
<issued date="2019-08-19"/>

</advisory>
</metadata>
<criteria operator="AND">
<criterion test_ref="oval:com.oracle.elsa:tst:20194754001" comment="Oracle Linux 7 is installed"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion test_ref="oval:com.oracle.elsa:tst:20194754006" comment="openssl-libs is earlier than 2:1.0.2k-19.0.1.ksplice1.el7"/>
<criterion test_ref="oval:com.oracle.elsa:tst:20194754007" comment="openssl-libs is signed with the Oracle Linux 7 key"/>

The advisory says that OS version is Oracle linux 7 and openssl-libs version less than 2:1.0.2k-19.0.1.ksplice1.el7 will affect ELSA-2019-4754.
oraclelinux:7-slim image installed 1:1.0.2k-19.0.1.el7.

2:1.0.2k-19.0.1.ksplice1.el7 is greater than 1:1.0.2k-19.0.1.el7, because epoch version 1 less than 2.
If you want to know about version compare of epoch, please see this documents.
https://fedoraproject.org/wiki/Archive:Tools/RPM/VersionComparison

The packages are compared to see if they have their Epoch field set. 
If a package doesn't have an Epoch field, it may be considered to have an Epoch equal to 0 or -1 (based on the version of RPM and the operation happening [some more details here ). 
The Epoch fields are then compared numerically, and the package with the larger number is considered newer. 
If the numbers are equal, it goes to step 2. 
Note: avoid negative epochs at all costs, and don't use Epochs equal to zero if possible. 
If you use 0 Epochs, know that it may be considered equal to no Epochs in some cases and different in others. 
Be prepared for the surprise!

I am not familiar with ksplice.
I would like to know if the version comparison is different between the usual comparison and the ksplice environment.

Thank you issues!!