2 goland versions installed in docker image

[jukedom]

Description

Our vulnerability scanning tool detects 2 versions of GO within the mariadb docker image 10.4.21-debian-10-r32. This leads to have same CVE raised 2 times, one for each version.

Steps to reproduce the issue:

Launching the scanning tool on bitnami mariadb docker image

Describe the results you received:

Extract from the tool result:

			"applications": [
				{
					"name": "go",
					"version": "1.16.7",
					"path": "/opt/bitnami/common/bin/gosu"
				},
				{
					"name": "go",
					"version": "1.16.6",
					"path": "/opt/bitnami/common/bin/ini-file"
				}

Describe the results you expected:

Expecting only 1 version of go installed on mariadb bitnami docker image

[migruiz4]

Hi @dominiquemongelli,

Could you please give us more context about this issue?

The MariaDB image does not contain Go in it. Both gosu and ini-file are binaries compiled statically, so I don't understand what the vulnerability is if they have been compiled with different Go versions.

If the CVE affects both 1.16.7 and 1.16.6, I don't think it is a matter of both being compiled by the same version, but them being compiled with a Go version with the CVE fixed. Could you please share what CVE it is and if is fixed?

[jukedom]

The CVE raised by our security tool are the following:

CVE-2021-38297
CVE-2021-44716
CVE-2021-41772
CVE-2021-41771
CVE-2021-39293
CVE-2021-29923

The They are raised for both versions of Go 1.16.6 and 1.16.7. Not a big deal here as, as you mentioned, the MariaDB image does not contain or use Go. Fix version depends on the CVE itself. From a maintenance and security perspective, we are wondering if it's possible to include packages that depends on only 1 version of Go ?

[migruiz4]

Hi @dominiquemongelli,

Thank you for the detailed information.

At the moment we can't unify the Go version used to compile since we are working on other priorities, but it is in our roadmap to compile those binaries with the latest compatible Go version, which would indeed remove those CVEs and help us release image including fixes quickly.

[jukedom]

@migruiz4 thanks for the feedbacks. Keep me posted once you have any target date for that.

[carrodher]

We are going to transfer this issue to bitnami/containers

In order to unify the approaches followed in Bitnami containers and Bitnami charts, we are moving some issues in bitnami/bitnami-docker-<container> repositories to bitnami/containers.

Please follow bitnami/containers to keep you updated about the latest bitnami images.

More information here: https://blog.bitnami.com/2022/07/new-source-of-truth-bitnami-containers.html

[recena]

There are several issues (https://github.com/bitnami/containers/issues/7419#issuecomment-1277726989) where we have clarified the situation with gosu and CVEs. But probably the valuable information comes from the upstream OSS maintainers.

[carrodher]

Hi, we are glad to announce that we got rid of gosu in all Bitnami container images, so the false positives previously reported by some CVE scanners will not appear anymore:

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r22

bitnami/postgresql:15.2.0-debian-11-r22 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

opt/bitnami/common/bin/gosu (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ HIGH     │ v1.1.0            │ v1.1.2        │ runc: incorrect handling of inheritable capabilities       │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29162                 │
│                                ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-27561 │          │                   │ v1.1.5        │ runc: volume mount race condition (regression of           │
│                                │                │          │                   │               │ CVE-2019-19921)                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-27561                 │
│                                ├────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769 │ MEDIUM   │                   │ v1.1.2        │ moby: Default inheritable capabilities for linux container │
│                                │                │          │                   │               │ should be empty                                            │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24769                 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

VS

$ trivy image --ignore-unfixed bitnami/postgresql:15.2.0-debian-11-r23

bitnami/postgresql:15.2.0-debian-11-r23 (debian 11.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

From now on, gosu functionalities were replaced by chroot. In this PR you can find an example of this implementation.