Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Copa fails to patch all fixed CVEs for Oracle Linux (9-slim) docker image #762

Closed
1 task done
SaptarshiSarkar12 opened this issue Sep 5, 2024 · 4 comments
Closed
1 task done

[BUG] Copa fails to patch all fixed CVEs for Oracle Linux (9-slim) docker image #762

SaptarshiSarkar12 opened this issue Sep 5, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@SaptarshiSarkar12
Copy link

SaptarshiSarkar12 commented Sep 5, 2024
edited
Loading

Version of copa

v0.7.0-50-gf32017a

Expected Behavior

Copa should be able to fix all the vulnerabilities reported by Trivy.

Actual Behavior

Trivy had reported 5 vulnerabilities which are fixed already. Trivy created a JSON file with details of the vulnerabilities and on passing it to Capo for patching the image, it patched only 2 (the krb-5 package vulnerabilities) out of the 5 vulnerabilities.
Why couldn't it patch the gnutls package vulnerability? I saw that the fixed versions (that copa couldn't patch) were FIPS packages.
I want to know more about FIPS packages that Copa is failing to patch? Is there any concern about the vulnerabilities that has their fixed version as FIPS packages? Or are they false positives?

Unfixed CVEs links:

image

Steps To Reproduce

  1. Pull ghcr.io/saptarshisarkar12/drifty-cli:master docker image. Alternatively, you can also pull its base image oraclelinux:9-slim.
  2. Run trivy image --ignore-unfixed --format json --output drifty-cli.master.json ghcr.io/saptarshisarkar12/drifty-cli:master to generate a report of fixed CVEs in JSON format.
  3. Run docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:v0.15.2 to start buildkitd daemon in detached mode.
  4. Run copa patch -i ghcr.io/saptarshisarkar12/drifty-gui:master -r drifty-gui.master.json -t master-patched --addr docker-container://buildkitd --ignore-errors to patch the image.
  5. We can see that out of the 5 vulnerabilities, only 2 have been patched (the vulnerabilities concerned with krb-5).

Are you willing to submit PRs to contribute to this bug fix?

  • Yes, I am willing to implement it.
@SaptarshiSarkar12 SaptarshiSarkar12 added the bug Something isn't working label Sep 5, 2024
@SaptarshiSarkar12 SaptarshiSarkar12 mentioned this issue Sep 5, 2024
Closed
@ashnamehrotra
Copy link
Contributor

@SaptarshiSarkar12 oracle linux reports vulnerabilities in a way that causes false positives, you can see troubleshooting for more info https://project-copacetic.github.io/copacetic/website/next/troubleshooting

@SaptarshiSarkar12
Copy link
Author

Hi @ashnamehrotra 👋!
So, if all the unfixed CVEs false positives, then, is it safe to close them as false positives? Is Trivy responsible for reporting the false positives that oracle linux passes to it?

@ashnamehrotra
Copy link
Contributor

@SaptarshiSarkar12 yes that is correct. If you run the resulting patched image from the update all/no scanner approach and check for gnutls package updates, it will show that there are no upgrades available to patch.

@SaptarshiSarkar12
Copy link
Author

@ashnamehrotra Okay. Thank you

@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Copacetic Workboard Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Copacetic Workboard
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ashnamehrotra @SaptarshiSarkar12