trivy
trivy copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
bug(cyclonedx): Trivy image scan reports and counts the same CVE for the same package multiple times
Discussed in https://github.com/aquasecurity/trivy/discussions/5788
Originally posted by LesSyner December 15, 2023
Description
Trivy sometimes reports the same CVE for te same package multiple times (in single scan) resulting in incorrect number of CVEs for image.
Desired Behavior
trivy should report the same CVE for the same package only once
Actual Behavior
trivy reports multiple CVEs when in fact it's single occurance. Here is an example:
{
"id": "CVE-2023-44981",
"source": {
"name": "ghsa",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"ratings": [
{
"source": {
"name": "bitnami"
},
"score": 9.1,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
{
"source": {
"name": "ghsa"
},
"score": 9.1,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
{
"source": {
"name": "nvd"
},
"score": 9.1,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
{
"source": {
"name": "redhat"
},
"score": 9.1,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
],
"cwes": [
639
],
"description": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like '[email protected]', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.\n\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\n\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\n\nSee the documentation for more details on correct cluster administration.\n",
"recommendation": "Upgrade org.apache.zookeeper:zookeeper to version 3.7.2, 3.8.3, 3.9.1",
"advisories": [
{
"url": "https://avd.aquasec.com/nvd/cve-2023-44981"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/10/11/4"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2023-44981"
},
{
"url": "https://github.com/apache/zookeeper"
},
{
"url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
},
{
"url": "https://www.debian.org/security/2023/dsa-5544"
}
],
"published": "2023-10-11T12:15:00+00:00",
"updated": "2023-11-01T07:15:00+00:00",
"affects": [
{
"ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
"versions": [
{
"version": "3.6.3",
"status": "affected"
}
]
},
{
"ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
"versions": [
{
"version": "3.6.3",
"status": "affected"
}
]
},
{
"ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
"versions": [
{
"version": "3.6.3",
"status": "affected"
}
]
},
{
"ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
"versions": [
{
"version": "3.6.3",
"status": "affected"
}
]
},
{
"ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
"versions": [
{
"version": "3.6.3",
"status": "affected"
}
]
}
]
},
Reproduction Steps
1. trivy image --ignore-unfixed confluentinc/cp-schema-registry:7.5.2 --scanners vuln --severity CRITICAL -f cyclonedx
Target
Container Image
Scanner
Vulnerability
Output Format
CycloneDX
Mode
Standalone
Debug Output
2023-12-15T10:36:47.504+0100 DEBUG ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-12-15T10:36:47.505+0100 DEBUG Severities: ["CRITICAL"]
2023-12-15T10:36:47.506+0100 DEBUG Ignore statuses {"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-12-15T10:36:47.523+0100 DEBUG cache dir: /Users/test/Library/Caches/trivy
2023-12-15T10:36:47.523+0100 DEBUG DB update was skipped because the local DB is the latest
2023-12-15T10:36:47.523+0100 DEBUG DB Schema: 2, UpdatedAt: 2023-12-15 06:10:50.163004975 +0000 UTC, NextUpdate: 2023-12-15 12:10:50.163004594 +0000 UTC, DownloadedAt: 2023-12-15 09:18:37.448303 +0000 UTC
2023-12-15T10:36:47.524+0100 INFO Vulnerability scanning is enabled
2023-12-15T10:36:47.524+0100 DEBUG Vulnerability type: [os library]
2023-12-15T10:36:47.524+0100 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2023-12-15T10:36:49.274+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-12-15T10:36:49.454+0100 DEBUG Image ID: sha256:9c75bce947731d3ed3fba8e9f3d4646b2d15c3036f6d9062c5c4dd275a5045cc
2023-12-15T10:36:49.454+0100 DEBUG Diff IDs: [sha256:1053d00b8e292c8a36bef630a0f4977b29da4e2fd60ac9425e0fcd1f7c1108d5 sha256:2784298e924345d0daf7eed5793662efbeb830bd3f83bc1bdf58dacf7a266477 sha256:e6074c53f57ac4a6c1163951950677943cf3608a3e79b400961eac20e44631d3 sha256:cf101d0177010a1169bd2c88481fa1086ee4eaf8f2433ccb431c657c3aa645e9 sha256:04394050f85b15adb4e989d29cbeaa2823aeec2928e1f17619a7fe83880ffcb7 sha256:f2f1f826c954809927a3684e569272533a951c885163b65efa2d021fb0d60759 sha256:9ab333f76a764635010e0f6872a40a21ce4f678a189689f2d6ec197d0880482f sha256:905c75c815e0a8cda612ef911e8a58eb3b34ed202f743cf847ced2850cd9bee7 sha256:d43f08d70ed9b8566f13578e2ab55a2697b7292dd1fccf107b28b007e877ca5a sha256:2b5c9ac251e65f3863a1c284b0b33bfc09deaf038f7d2a52997149b17daaf16e sha256:55d28c8a35a4f7d553aed857bba92f60f53bd38271d486166e6eb57e068e1871]
2023-12-15T10:36:49.454+0100 DEBUG Base Layers: []
2023-12-15T10:36:49.575+0100 INFO Detected OS: redhat
2023-12-15T10:36:49.575+0100 INFO Detecting RHEL/CentOS vulnerabilities...
2023-12-15T10:36:49.575+0100 DEBUG Red Hat: os version: 8
2023-12-15T10:36:49.575+0100 DEBUG Red Hat: the number of packages: 188
2023-12-15T10:36:49.632+0100 INFO Number of language-specific files: 2
2023-12-15T10:36:49.632+0100 INFO Detecting python-pkg vulnerabilities...
2023-12-15T10:36:49.632+0100 DEBUG Detecting library vulnerabilities, type: python-pkg, path:
2023-12-15T10:36:49.635+0100 INFO Detecting jar vulnerabilities...
2023-12-15T10:36:49.635+0100 DEBUG Detecting library vulnerabilities, type: jar, path:
2023-12-15T10:36:49.691+0100 DEBUG Found an ignore file: .trivyignore
Operating System
macOS Sonoma 14.2
Version
Version: 0.48.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-12-15 06:10:50.163004975 +0000 UTC
NextUpdate: 2023-12-15 12:10:50.163004594 +0000 UTC
DownloadedAt: 2023-12-15 09:18:37.448303 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-12-15 00:45:03.307690097 +0000 UTC
NextUpdate: 2023-12-18 00:45:03.307689947 +0000 UTC
DownloadedAt: 2023-12-15 09:19:43.769488 +0000 UTC
Checklist
- [X] Run
trivy image --reset - [X] Read the troubleshooting
Also there is problem with same jars in different folders.
We create only 1 component:
json report:
"Packages": [
{
"Name": "com.fasterxml.jackson.core:jackson-databind",
"Version": "2.13.4",
"Layer": {},
"FilePath": "1/jackson-databind-2.13.4.jar"
},
{
"Name": "com.fasterxml.jackson.core:jackson-databind",
"Version": "2.13.4",
"Layer": {},
"FilePath": "2/jackson-databind-2.13.4.jar"
}
],
cyclonedx report:
"components": [
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=2%2Fjackson-databind-2.13.4.jar",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "2/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
}
],
Things look a bit different after further investigation:
- trivy with standard table output (
trivy image --ignore-unfixed confluentinc/cp-schema-registry:7.5.2 --scanners vuln --severity CRITICAL) reports the same CVE (CVE-2023-44981) and with count 5 but now for 2 jars: org.apache.zookeeper:zookeeper (acl-7.5.2.jar) and org.apache.zookeeper:zookeeper (zookeeper-3.6.3.jar). - I've extracted both jars from the image, unpacked them fully and checked that table report shows properly that there is zookeeper-3.6.3 also inside acl. So your remark @DmitriyLewen about ticket #5798 may be good direction. It's already somehow shown in tabe format but not in cyclonedx format.
- I've ran "trivy fs" with dir containing both jars unpacked, each in separate subdir, and it shows different results:
- acl/META-INF/maven/org.apache.zookeeper/zookeeper with 1 critical CVE coming from org.apache.zookeeper:zookeeper 3.6.3 (the same CVE ID as reported in cyclonedx format)
- zookeeper/META-INF/maven/org.apache.zookeeper/zookeeper with 1 critical CVE coming from org.apache.zookeeper:zookeeper 3.6.3 (the same CVE ID as reported in cyclonedx format)
- acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf with 12 critical CVEs coming from com.fasterxml.jackson.core:jackson-databind 2.9.9.
Now I'm confused - cyclonedx format reporting issues, table format partially ok (showing 2 separate files with this CVE), both formats don't show additional 12 critical CVEs (total 62 CVEs, both numbers with --ignore-unfixed switch).
Hello @LesSyner Thanks for your investigation.
both formats don't show additional 12 critical CVEs
I am focusing on fixing CycloneDX logic. After that i will check this case.
I checked acl-7.5.2.jar:
When you scan in fs more - Trivy checks pom.xml files
But when you scan in image (or rootfs) mode Trivy checks jar files (Trivy checks pom.properties, MANIFEST.MF and nested jars inside found jar) - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/java/#jarwarparear
More about fs/image mode - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/#supported-languages
For your case:
-
fsmode - Trivy finds./acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf/pom.xmlfile:
<groupId>com.hubspot.jackson</groupId>
<artifactId>jackson-datatype-protobuf</artifactId>
<version>0.9.11-jackson2.9</version>
<description>Jackson Module that adds support for reading/writing protobufs</description>
<properties>
<basepom.check.skip-dependency-versions-check>true</basepom.check.skip-dependency-versions-check>
<dep.jackson.version>2.9.9</dep.jackson.version>
<dep.jackson-databind.version>2.9.9</dep.jackson-databind.version>
<dep.protobuf-java.version>3.8.0</dep.protobuf-java.version>
</properties>
<dependencies>
...
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
And detects jackson-databind 2.9.9, just like mvn does:
[INFO] com.hubspot.jackson:jackson-datatype-protobuf:jar:0.9.11-jackson2.9
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
-
imagemode: Trivy finds./acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf/pom.propertiesfile:
#Created by Apache Maven 3.6.1
version=0.9.11-jackson2.9
groupId=com.hubspot.jackson
artifactId=jackson-datatype-protobuf
This file doesn't have info about jackson-databind.
But acl-7.5.2.jar have ./acl/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.properties file:
version=2.14.2
groupId=com.fasterxml.jackson.core
artifactId=jackson-databind
That is why Trivy finds vulnerabilities only for com.fasterxml.jackson.core:[email protected].
I digged deeper since so far there was no justification for 5 critical CVEs. And I've found them in report in json format. So in fact summary in all formats is ok (regarding 5 instances of CVE-2023-44981), only proper details are missing in table and cyclonedx format.
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/acl/acl-7.5.2.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/confluent-control-center/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/confluent-security/connect/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/cp-base-new/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/schema-registry/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
this problem is related with Applications aggregation. there is #4249 about table format.
I have the same problem. I made a very simple script that you can use to temporarily fix this issue. Here is the up-to-date gist : https://gist.github.com/topiga/4d459e6a922c2f08fec5a211975316fb Here is the code as of today, 25th April 2024
import json
import argparse
def remove_duplicates(json_data):
for vulnerability in json_data['vulnerabilities']:
affects = vulnerability['affects']
unique_affects = []
seen_refs = set()
for affect in affects:
ref = affect['ref']
if ref not in seen_refs:
seen_refs.add(ref)
unique_affects.append(affect)
vulnerability['affects'] = unique_affects
return json_data
def main():
parser = argparse.ArgumentParser(description='Fix CycloneDX file by removing duplicate items in the "affects" array.')
parser.add_argument('--input', dest='input_file', required=True, help='Path to the input CycloneDX file')
parser.add_argument('--output', dest='output_file', required=True, help='Path to the output fixed CycloneDX file')
args = parser.parse_args()
try:
with open(args.input_file, 'r') as file:
cyclonedx_data = json.load(file)
except FileNotFoundError:
print(f'Error: input file "{args.input_file}" not found')
return
except json.JSONDecodeError as e:
print(f'Error: invalid JSON format in input file "{args.input_file}"')
print(f'JSON error: {str(e)}')
return
updated_data = remove_duplicates(cyclonedx_data)
try:
with open(args.output_file, 'w') as file:
json.dump(updated_data, file, indent=2)
except IOError as e:
print(f'Error: failed to write output file "{args.output_file}"')
print(f'IO error: {str(e)}')
return
print(f'Fixed CycloneDX data written to "{args.output_file}"')
if __name__ == '__main__':
main()
Hello @topiga
Can you check this issue with latest Trivy? I think #6240 should fix this problem. e.g.:
Last login: Fri Apr 26 07:35:23 on ttys001
➜ tree ./dir
./dir
├── dir1
│ └── jackson-databind-2.13.4.jar
└── dir2
└── jackson-databind-2.13.4.jar
3 directories, 2 files
➜ trivy -q rootfs -f cyclonedx ./dir
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:45d8a637-d34b-4700-949d-911410f35c5a",
"version": 1,
"metadata": {
"timestamp": "2024-04-26T01:45:03+00:00",
"tools": {
"components": [
{
"type": "application",
"group": "aquasecurity",
"name": "trivy",
"version": "0.50.4"
}
]
},
"component": {
"bom-ref": "138052f2-ad09-4e00-824f-575c21306aaf",
"type": "application",
"name": "dir",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "08210638-25c1-4d60-b4e6-2c59ed622f01",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir2/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
},
{
"bom-ref": "5fb0bb40-d596-4e92-8597-5a1ccb4fa503",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir1/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
}
],
"dependencies": [
{
"ref": "08210638-25c1-4d60-b4e6-2c59ed622f01",
"dependsOn": []
},
{
"ref": "138052f2-ad09-4e00-824f-575c21306aaf",
"dependsOn": [
"08210638-25c1-4d60-b4e6-2c59ed622f01",
"5fb0bb40-d596-4e92-8597-5a1ccb4fa503"
]
},
{
"ref": "5fb0bb40-d596-4e92-8597-5a1ccb4fa503",
"dependsOn": []
}
],
"vulnerabilities": []
}
The problem still persists, also with the latest trivy version (0.52.2). In fact the CycloneDX file generated violates the schema (because of non-unique $.vulnerabilities[x].affects[*] which means that tools such as Dependency Track will reject the SBOM when being uploaded.
To reproduce run trivy image -f cyclonedx -o ap.cdx.json --scanners license,vuln registry.hub.knime.com/knime/knime-full:r-5.2.0-271 and look for CVE-2014-125087.
Hello @sithmein Thanks for information!
Created #7023 for your issue.
Regards, Dmitriy