Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(oracle): add flavors support #7858

Merged
merged 10 commits into from
Nov 20, 2024
Merged

feat(oracle): add flavors support #7858

merged 10 commits into from
Nov 20, 2024

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Nov 2, 2024
edited
Loading

Description

Add flavors (fips, ksplice, etc. versions) for Oracle Linux.
Trivy doesn't need to check version with different flavors.
See #1967 (comment) for more details.

Example of Trivy work:
before:

➜  trivy git:(feat/ol-flavors) ✗ trivy -q image oraclelinux:8 

oraclelinux:8 (oracle 8.10)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌───────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │      Fixed Version       │                            Title                            │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gnutls    │ CVE-2021-20231 │ MEDIUM   │ fixed  │ 3.6.16-8.el8_9.3  │ 10:3.6.16-4.0.1.el8_fips │ gnutls: Use after free in client key_share extension        │
│           │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2021-20231                  │
│           ├────────────────┤          │        │                   │                          ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2021-20232 │          │        │                   │                          │ gnutls: Use after free in client_send_params in             │
│           │                │          │        │                   │                          │ lib/ext/pre_shared_key.c                                    │
│           │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2021-20232                  │
│           ├────────────────┤          │        │                   │                          ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2021-3580  │          │        │                   │                          │ nettle: Remote crash in RSA decryption via manipulated      │
│           │                │          │        │                   │                          │ ciphertext                                                  │
│           │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2021-3580                   │
│           ├────────────────┤          │        │                   ├──────────────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-0553  │          │        │                   │ 10:3.6.16-8.el8_9.1_fips │ gnutls: incomplete fix for CVE-2023-5981                    │
│           │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2024-0553                   │
│           ├────────────────┤          │        │                   ├──────────────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-28834 │          │        │                   │ 10:3.6.16-8.el8_9.3_fips │ gnutls: vulnerable to Minerva side-channel information leak │
│           │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2024-28834                  │
├───────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libgcrypt │ CVE-2021-40528 │ HIGH     │        │ 1.8.5-7.el8_6     │ 10:1.8.5-7.el8_6_fips    │ libgcrypt: ElGamal implementation allows plaintext recovery │
│           │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2021-40528                  │
│           ├────────────────┼──────────┤        │                   ├──────────────────────────┼─────────────────────────────────────────────────────────────┤
│           │ CVE-2021-33560 │ MEDIUM   │        │                   │ 10:1.8.5-6.el8_fips      │ libgcrypt: mishandles ElGamal encryption because it lacks   │
│           │                │          │        │                   │                          │ exponent blinding to address a...                           │
│           │                │          │        │                   │                          │ https://avd.aquasec.com/nvd/cve-2021-33560                  │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────┴─────────────────────────────────────────────────────────────┘

after:

➜  trivy git:(feat/ol-flavors) ✗ ./trivy -q image oraclelinux:8

oraclelinux:8 (oracle 8.10)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Nov 2, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review November 20, 2024 10:21
@DmitriyLewen DmitriyLewen mentioned this pull request Nov 20, 2024
Merged
@knqyf263 knqyf263 added this pull request to the merge queue Nov 20, 2024
Merged via the queue into aquasecurity:main with commit b9b383e Nov 20, 2024
18 checks passed
@aqua-bot aqua-bot mentioned this pull request Nov 20, 2024
Merged
@DmitriyLewen DmitriyLewen deleted the feat/ol-flavors branch November 28, 2024 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

False Positives being reported from Trivy 0.24.2 - oraclelinux:8 image
2 participants
@DmitriyLewen @knqyf263