anchore-engine icon indicating copy to clipboard operation
anchore-engine copied to clipboard

Published 20 hours ago verified publisher icon anchore

Anchore Engine Analysis reporting vulnerabilities in the sink and not source of the issue

Open swetan27 opened this issue 3 years ago • 2 comments

Is this a request for help?:

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable: Anchore- CLI - v 0.8.2

What happened:

We are building Kafka enablers for the microservice to consume as a dependent jar to enable websocket connection.

Kafka enabler i.e. Kafka-enabler-SNAPHOT-0.0.1.jar uses Confluent rest-util package as dependency which in turn uses Jersey v2.29, Jetty v9.4.30, and Hibernate Validator.

When running Anchore scan post building an image from the Kafka enabler, Anchore Engine, does not report any vulnerabilities in the jars used by the enabler itself. Report Output below:

image

Method used to convert Kalfka enabler jar to Image for Anchore scanning: image

When Anchore scan is run against the microservice e.g. Test client which consumes the enabler, it reports following vulnerabilities: image

Vulnerabilities reported are valid i.e. true positive What did you expect to happen:

We expected that when we build an image from Enabler and run Anchore scan, Anchore should have reported the vulnerabilities as it reported when enabler was added as dependency to another microservice. Reason being the vulnerable jars are actually dependencies in Kafka enabler which is the true source of the vulnerabilities.

Any relevant log output from /var/log/anchore:

What docker images are you using: openjdk:8-jre-slim

How to reproduce the issue: Step 1: Create a jar using confluent rest-utils package v6.1.1 Step 2: Convert to docker image as shown above and trigger an Anchore Scan. Step 3: Add the jar created in step 1 to any microservice's build.gradle file as a dependency. Step 4. Build new jar from Step 3. Step 5: Create a docker image from jar created in step 4 and trigger an Anchore scan

Anything else we need to know: The remediation to the issue is also interesting: Case 1: When Jetty, Jersey related jars were upgraded in Kafka enabler which is the source of the vulnerability, Anchore still reported the vulnerabilities in microservice i.e. Test Client and none in Kafka enabler Case 2: When Jetty, Jersey related jars were upgraded in Test client i.e. microservice which consumes the enabler, Anchore stopped reporting the vulnerabilities in microservice i.e. Test Client and none as usual in Kafka enabler:

In order to fix the vulnerabilities, all the microservice consuming this enabler have to modify thier build.gradle to below screenshot. Instead of the Kalfka enabler who is the source of the vulnerabilities.

image

swetan27 avatar Jun 08 '21 14:06 swetan27

@zhill - Kindly look into the issue

swetan27 avatar Jun 23 '21 11:06 swetan27

@swetan27 Can you clarify what version of anchore-engine you are using? I see for version you put

Anchore- CLI - v 0.8.2

To clarify is that the version of the cli or engine?

If it is the version of engine, we have since made a number of changes/enhancements to our image analysis. Most notably as of engine v0.9.0 we use syft for the bulk of our image content analysis. We also have fixed some issues related to java analysis in patch releases since v0.9.0 so an update to the most recent release version of v0.10 could resolve the issue if you are using v0.8.2

zburstein avatar Jul 13 '21 21:07 zburstein