trivy
trivy copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
False positive of docker image scanning when rm path and use a softlink on the same path in one step
Description
I faced a false positive behaviour inside one of my docker builded images. On image build i remove a directory where a vulnerable file was located. In addition i put a softlink to the same path (which refers to a directory without vulnerabilities)
Even if the vulnerable file is not reachable from within my docker container (i guess it's inside a layer but overwritten by a higher priority layer) trivy would still found the (old) vulnerability.
This does not happen if removing the directory and creating the softlink are in different docker build steps.
What did you expect to happen?
I would expect that the vulnerable file would not longer be found from trivy.
What happened instead?
The vulnerable file is found and the vulnerability is printed out in the results.
Docker file to reproduce:
I created a minimal reproducible example:
FROM alpine
RUN apk update && apk add curl
RUN mkdir /test
# load vulnerable log4j version
RUN curl -s curl -s https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.3/log4j-core-2.3.jar > /test/log4j.jar
# rm dir with vulnerability and softlink a different directory to the same place (which don't have a vulnerability)
RUN rm -rf /test && ln -s /tmp /test
And i have builded it with:
docker build -t trivytest .
Output of run with -debug:
trivy --debug image trivytest
2022-08-01T14:42:54.912+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-08-01T14:42:54.952+0200 DEBUG cache dir: /Users/andreasschnapp/Library/Caches/trivy
2022-08-01T14:42:54.953+0200 DEBUG DB update was skipped because the local DB is the latest
2022-08-01T14:42:54.953+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-08-01 12:08:21.715800241 +0000 UTC, NextUpdate: 2022-08-01 18:08:21.715799741 +0000 UTC, DownloadedAt: 2022-08-01 12:31:07.011089 +0000 UTC
2022-08-01T14:42:54.953+0200 INFO Vulnerability scanning is enabled
2022-08-01T14:42:54.953+0200 DEBUG Vulnerability type: [os library]
2022-08-01T14:42:54.953+0200 INFO Secret scanning is enabled
2022-08-01T14:42:54.953+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-01T14:42:54.953+0200 INFO Please see also https://aquasecurity.github.io/trivy/0.30.1/docs/secret/scanning/#recommendation for faster secret detection
2022-08-01T14:42:54.964+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-08-01T14:42:54.964+0200 DEBUG Image ID: sha256:3e778fa55f6d07619cde748e2bb8b7a3b7f5f6e10fdd66ebabd92f4400673f4a
2022-08-01T14:42:54.964+0200 DEBUG Diff IDs: [sha256:ec34fcc1d526fba48f7f88e4ec765fccc17d4692570db85cf32d9d6b020330f2 sha256:3d3bc5c4280d38d7385cfba03d1354dec289c9caff6d43d6221b756f4c92fd4b sha256:7ab9ed480697342cf4dd6f8d8dde2f2d8820b5de186281502ff90261e9d6d104 sha256:94ae8abb8f40921f1db2865f4d4c46c83ac5a64be64c824cde3a688fe06af8e3 sha256:5923d9e48f15120fcb0f1bc5cac00107a6ef79fae2211be200a5abe8aef28c96]
2022-08-01T14:42:54.964+0200 DEBUG Base Layers: [sha256:ec34fcc1d526fba48f7f88e4ec765fccc17d4692570db85cf32d9d6b020330f2]
2022-08-01T14:42:54.965+0200 DEBUG Missing diff ID in cache: sha256:5923d9e48f15120fcb0f1bc5cac00107a6ef79fae2211be200a5abe8aef28c96
2022-08-01T14:42:54.965+0200 DEBUG Missing diff ID in cache: sha256:3d3bc5c4280d38d7385cfba03d1354dec289c9caff6d43d6221b756f4c92fd4b
2022-08-01T14:42:54.965+0200 DEBUG Missing diff ID in cache: sha256:ec34fcc1d526fba48f7f88e4ec765fccc17d4692570db85cf32d9d6b020330f2
2022-08-01T14:42:54.965+0200 DEBUG Missing diff ID in cache: sha256:94ae8abb8f40921f1db2865f4d4c46c83ac5a64be64c824cde3a688fe06af8e3
2022-08-01T14:42:54.965+0200 DEBUG Missing diff ID in cache: sha256:7ab9ed480697342cf4dd6f8d8dde2f2d8820b5de186281502ff90261e9d6d104
2022-08-01T14:42:55.558+0200 DEBUG Parsing Java artifacts... {"file": "test/log4j.jar"}
2022-08-01T14:42:56.183+0200 INFO Detected OS: alpine
2022-08-01T14:42:56.183+0200 INFO Detecting Alpine vulnerabilities...
2022-08-01T14:42:56.183+0200 DEBUG alpine: os version: 3.16
2022-08-01T14:42:56.183+0200 DEBUG alpine: package repository: 3.16
2022-08-01T14:42:56.183+0200 DEBUG alpine: the number of packages: 19
2022-08-01T14:42:56.185+0200 INFO Number of language-specific files: 1
2022-08-01T14:42:56.185+0200 INFO Detecting jar vulnerabilities...
2022-08-01T14:42:56.185+0200 DEBUG Detecting library vulnerabilities, type: jar, path:
2022-08-01T14:42:56.189+0200 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 3)
┌─────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2017-5645 │ CRITICAL │ 2.3 │ 2.8.2 │ log4j: Socket receiver deserialization vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-5645 │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2021-44228 │ CRITICAL │ 2.3 │ 2.3.2, 2.12.2, 2.15.0 │ log4j-core: Remote code execution in Log4j 2.x when logs │
│ │ │ │ │ │ contain an attacker-controlled... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44228 │
│ ├────────────────┤ │ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-45046 │ │ │ 2.12.3, 2.16.0 │ log4j-core: DoS in log4j 2.x with thread context message │
│ │ │ │ │ │ pattern and context... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45046 │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2021-44832 │ MEDIUM │ 2.3 │ 2.12.4, 2.17.1 │ log4j-core: remote code execution via JDBC Appender │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44832 │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2021-45105 │ MEDIUM │ 2.3 │ 2.3.1, 2.12.3, 2.17.0 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) │
│ │ │ │ │ │ input data... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45105 │
│ ├────────────────┼──────────┤ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-9488 │ LOW │ │ 2.13.2 │ log4j: improper validation of certificate with host mismatch │
│ │ │ │ │ │ in SMTP appender │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-9488 │
└─────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘
Output of trivy -v:
trivy -v image trivytest
2022-08-01T14:43:30.315+0200 INFO Vulnerability scanning is enabled
2022-08-01T14:43:30.315+0200 INFO Secret scanning is enabled
2022-08-01T14:43:30.315+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-08-01T14:43:30.315+0200 INFO Please see also https://aquasecurity.github.io/trivy/0.30.1/docs/secret/scanning/#recommendation for faster secret detection
2022-08-01T14:43:30.327+0200 INFO Detected OS: alpine
2022-08-01T14:43:30.327+0200 INFO Detecting Alpine vulnerabilities...
2022-08-01T14:43:30.330+0200 INFO Number of language-specific files: 1
2022-08-01T14:43:30.330+0200 INFO Detecting jar vulnerabilities...
2022-08-01T14:43:30.332+0200 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 3)
┌─────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2017-5645 │ CRITICAL │ 2.3 │ 2.8.2 │ log4j: Socket receiver deserialization vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-5645 │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2021-44228 │ CRITICAL │ 2.3 │ 2.3.2, 2.12.2, 2.15.0 │ log4j-core: Remote code execution in Log4j 2.x when logs │
│ │ │ │ │ │ contain an attacker-controlled... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44228 │
│ ├────────────────┤ │ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-45046 │ │ │ 2.12.3, 2.16.0 │ log4j-core: DoS in log4j 2.x with thread context message │
│ │ │ │ │ │ pattern and context... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45046 │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2021-44832 │ MEDIUM │ 2.3 │ 2.12.4, 2.17.1 │ log4j-core: remote code execution via JDBC Appender │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44832 │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core (log4j.jar) │ CVE-2021-45105 │ MEDIUM │ 2.3 │ 2.3.1, 2.12.3, 2.17.0 │ log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) │
│ │ │ │ │ │ input data... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-45105 │
│ ├────────────────┼──────────┤ ├───────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-9488 │ LOW │ │ 2.13.2 │ log4j: improper validation of certificate with host mismatch │
│ │ │ │ │ │ in SMTP appender │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-9488 │
└─────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────────────┴──────────────────────────────────────────────────────────────┘
