trivy
trivy copied to clipboard
aquasecurity
False Positives being reported from Trivy 0.24.2 - oraclelinux:8 image
Description
When you scan an oraclelinux:8 image
What did you expect to happen?
There should not be any issue
It thinks I need 10:1.8.5-6.el8_fips -> https://linux.oracle.com/errata/ELSA-2022-9263.html Where https://github.com/aquasecurity/vuln-list/blob/main/oval/oracle/2021/ELSA-2021-4409.json looks ok.
Related to #issue 736
What happened instead?
I got vulnerabilities
$ trivy i oraclelinux:8
2022-04-08T14:47:57.903Z INFO Detected OS: oracle
2022-04-08T14:47:57.903Z INFO Detecting Oracle Linux vulnerabilities...
2022-04-08T14:47:57.910Z INFO Number of language-specific files: 0
oraclelinux:8 (oracle 8.5)
==========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| gnutls | CVE-2021-20231 | MEDIUM | 3.6.16-4.el8 | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in |
| | | | | | client key_share extension |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-20231 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-20232 | | | | gnutls: Use after free |
| | | | | | in client_send_params in |
| | | | | | lib/ext/pre_shared_key.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-20232 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-3580 | | | | nettle: Remote crash |
| | | | | | in RSA decryption via |
| | | | | | manipulated ciphertext |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 |
+-----------+------------------+ +-------------------+--------------------------+---------------------------------------+
| libgcrypt | CVE-2021-33560 | | 1.8.5-6.el8 | 10:1.8.5-6.el8_fips | libgcrypt: mishandles ElGamal |
| | | | | | encryption because it lacks |
| | | | | | exponent blinding to address a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
Output of run with -debug:
$ trivy --debug i oraclelinux:8
2022-04-08T14:48:41.466Z DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-08T14:48:41.468Z DEBUG cache dir: /home/scanner/.cache/trivy
2022-04-08T14:48:41.468Z DEBUG DB update was skipped because the local DB is the latest
2022-04-08T14:48:41.469Z DEBUG DB Schema: 2, UpdatedAt: 2022-04-08 12:06:46.349271271 +0000 UTC, NextUpdate: 2022-04-08 18:06:46.349271071 +0000 UTC, DownloadedAt: 2022-04-08 13:50:49.650469224 +0000 UTC
2022-04-08T14:48:41.469Z DEBUG Vulnerability type: [os library]
2022-04-08T14:48:44.980Z DEBUG Image ID: sha256:e6ca9618a97becacf7688f253c089da43cd8b041f9084b850746567b5553148e
2022-04-08T14:48:44.980Z DEBUG Diff IDs: [sha256:ca93c0cdf7fc9a33979ba26402ef52dafa075236d2c69adacf11e935bdcd2fa5]
2022-04-08T14:48:44.985Z INFO Detected OS: oracle
2022-04-08T14:48:44.986Z INFO Detecting Oracle Linux vulnerabilities...
2022-04-08T14:48:44.986Z DEBUG Oracle Linux: os version: 8
2022-04-08T14:48:44.986Z DEBUG Oracle Linux: the number of packages: 182
2022-04-08T14:48:44.991Z INFO Number of language-specific files: 0
oraclelinux:8 (oracle 8.5)
==========================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
| gnutls | CVE-2021-20231 | MEDIUM | 3.6.16-4.el8 | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in |
| | | | | | client key_share extension |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-20231 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-20232 | | | | gnutls: Use after free |
| | | | | | in client_send_params in |
| | | | | | lib/ext/pre_shared_key.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-20232 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-3580 | | | | nettle: Remote crash |
| | | | | | in RSA decryption via |
| | | | | | manipulated ciphertext |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 |
+-----------+------------------+ +-------------------+--------------------------+---------------------------------------+
| libgcrypt | CVE-2021-33560 | | 1.8.5-6.el8 | 10:1.8.5-6.el8_fips | libgcrypt: mishandles ElGamal |
| | | | | | encryption because it lacks |
| | | | | | exponent blinding to address a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+----------+-------------------+--------------------------+---------------------------------------+
Output of trivy -v:
$ trivy -v i oraclelinux:8
Version: 0.24.2
Vulnerability DB:
Version: 2
UpdatedAt: 2022-04-08 12:06:46.349271271 +0000 UTC
NextUpdate: 2022-04-08 18:06:46.349271071 +0000 UTC
DownloadedAt: 2022-04-08 13:50:49.650469224 +0000 UTC
Additional details (base image name, container registry info...):
(Disclaimer: I'm in the Oracle Linux support/development group.)
Basically this is similar to issue #736.
Oracle Linux ships with up to three flavors of system packages for different purposes:
- normal
- Ksplice Userspace
- FIPS-validated
The user determines which flavor is installed based on their system requirements, but Oracle issues advisories (ELSAs) and related OpenSCAP (OVAL) data for all three flavors. So scanning all available ELSAs will result in false positives if the ELSA is for a different flavor than the one installed.
Basically, scans should do a heuristic to determine whether to apply an ELSA to the system, with the following logic:
- If the ELSA package version string contains
_fips, only scan against this ELSA if the installed package(s) include_fipsin the version string. - If the ELSA package version string contains
.ksplice, only scan against this ELSA if the installed package(s) include.ksplicein the version string. - Otherwise, scan as normal.
Note that these apply to the version string component of the package and not the package name, but inclusion of the leading _ and . in cases 1 and 2 respectively should ensure that this is done correctly.
This logic should be applied to both OL7 and OL8. Whether this should be a rule added to each ELSA scan or at some higher level I don't know, that depends on how Trivy is structured.
If this needs to be at a per-DB-entry level, you can limit the special-case logic to only the packages covered by that special case:
- Ksplice Userspace (
.ksplice) : onlyglibc,openssl, and their resultant subpackages. - FIPS-validated (
_fips): packages which ship in the Security Validation repos for OL7 and OL8 (linked here)
FWIW please feel free to email me at my work email address ([email protected]) if any clarification is needed on the above, we're happy to help Trivy developers on any Oracle Linux related issue.
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
istaveren, my temporary workaround for this issue is:
FROM oraclelinux:8
RUN set -ex && \
microdnf update && \
microdnf install dnf && \
dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/gnutls-3.6.16-4.0.1.el8_fips.x86_64.rpm && \
dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/libgcrypt-1.8.5-7.el8_6_fips.x86_64.rpm && \
microdnf clean all && \
rm -rf /tmp/* /var/cache/dnf/* /var/cache/yum/* /var/lib/dnf/* /var/lib/rpm/*
This issue is stale because it has been labeled with inactivity.
This issue is stale because it has been labeled with inactivity.
istaveren, my temporary workaround for this issue is:
FROM oraclelinux:8 RUN set -ex && \ microdnf update && \ microdnf install dnf && \ dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/gnutls-3.6.16-4.0.1.el8_fips.x86_64.rpm && \ dnf -y install https://yum.oracle.com/repo/OracleLinux/OL8/4/security/validation/x86_64/getPackage/libgcrypt-1.8.5-7.el8_6_fips.x86_64.rpm && \ microdnf clean all && \ rm -rf /tmp/* /var/cache/dnf/* /var/cache/yum/* /var/lib/dnf/* /var/lib/rpm/*
Thanks , this was helpful. It was easy to apply patch than convincing security guys that it is false positive .
