trivy
trivy copied to clipboard
aquasecurity
CVE-2022-23521 and CVE-2022-41903 (critical git vulnerabilities) not in database?
Description
Two days ago some critical vulnerabilities in git were fixed (CVE-2022-41903 and CVE-2022-23521):
- https://lore.kernel.org/git/[email protected]/T/#u
- https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/
When I scan images with a vulnerable git version I would expect Trivy to find it. For example docker.io/library/buildpack-deps:jammy-scm seems to have a vulnerable git version (2.34.1):
docker run --rm docker.io/library/buildpack-deps:jammy-scm@sha256:4171aabab1fcee42fb95527af1271da5e0439e284375268ab760a9a5028bc031 git version
git version 2.34.1
But when I scan the image using Trivy it does not find the vulnerability:
trivy image --security-checks vuln --severity CRITICAL,HIGH --debug docker.io/library/buildpack-deps:jammy-scm@sha256:4171aabab1fcee42fb95527af1271da5e0439e284375268ab760a9a5028bc031
2023-01-19T10:45:23.770+0100 DEBUG Severities: ["CRITICAL" "HIGH"]
2023-01-19T10:45:23.774+0100 DEBUG cache dir: /home/helgeeichelberg/.cache/trivy
2023-01-19T10:45:23.774+0100 DEBUG DB update was skipped because the local DB is the latest
2023-01-19T10:45:23.774+0100 DEBUG DB Schema: 2, UpdatedAt: 2023-01-19 06:09:53.559429471 +0000 UTC, NextUpdate: 2023-01-19 12:09:53.559429071 +0000 UTC, DownloadedAt: 2023-01-19 09:07:31.617375887 +0000 UTC
2023-01-19T10:45:23.774+0100 INFO Vulnerability scanning is enabled
2023-01-19T10:45:23.775+0100 DEBUG Vulnerability type: [os library]
2023-01-19T10:45:23.783+0100 DEBUG Image ID: sha256:aadd70a84453c5b68b26efcfc1f0e2ada1c8c598bc76d0110c38c573de004df5
2023-01-19T10:45:23.783+0100 DEBUG Diff IDs: [sha256:6515074984c6f8bb1b8a9962c8fb5f310fc85e70b04c88442a3939c026dbfad3 sha256:51d804bf834263e266bf0c48b01ebacf868ed961f8a9040c4dcf367ded0325ec sha256:88120f2b093d2f0adc42855117103a1b662b0baf2b84f5ceaee73783e596f33b sha256:3a4c7a1662e2f7ac5a25b5d14d4a91a6e62ae939af81e61d52a8c9a0021d7069]
2023-01-19T10:45:23.783+0100 DEBUG Base Layers: [sha256:6515074984c6f8bb1b8a9962c8fb5f310fc85e70b04c88442a3939c026dbfad3]
2023-01-19T10:45:23.843+0100 INFO Detected OS: ubuntu
2023-01-19T10:45:23.843+0100 INFO Detecting Ubuntu vulnerabilities...
2023-01-19T10:45:23.843+0100 DEBUG ubuntu: os version: 22.04
2023-01-19T10:45:23.843+0100 DEBUG ubuntu: the number of packages: 167
2023-01-19T10:45:23.862+0100 INFO Number of language-specific files: 0
docker.io/library/buildpack-deps:jammy-scm@sha256:4171aabab1fcee42fb95527af1271da5e0439e284375268ab760a9a5028bc031 (ubuntu 22.04)
Total: 0 (HIGH: 0, CRITICAL: 0)
I then searched for the vulnerabilities in the database at https://avd.aquasec.com/ but I could not find them.
In my case both CVEs where found, but with severity MEDIUM (which you omit).
And you are right, both CVEs are missing in the database.
Yes, with trivy image --security-checks vuln --severity MEDIUM --debug docker.io/library/buildpack-deps:jammy-scm@sha256:4171aabab1fcee42fb95527af1271da5e0439e284375268ab760a9a5028bc031 Trivy lists the vulnerabilities (thank you for the tip). But then I wonder why they are considered MEDIUM.
Hi @elchenberg According to our internal rules "Ubuntu CVE tracker" is used to check Ubuntu vulnerabilities https://aquasecurity.github.io/trivy/v0.36/docs/vulnerability/detection/data-source/ and this tracker count both vulnerabilities as "Medium": https://ubuntu.com/security/CVE-2022-23521 https://ubuntu.com/security/CVE-2022-41903
]# git --version git version 2.29.2
trivy fs --scanners vuln /bin/git
2023-03-06T06:39:11.398Z INFO Vulnerability scanning is enabled 2023-03-06T06:39:11.400Z INFO Number of language-specific files: 0
It is not detecting both the cves when i do a filesystem scan
