estafette-vulnerability-scanner icon indicating copy to clipboard operation
estafette-vulnerability-scanner copied to clipboard

Published 20 hours ago verified publisher icon estafette

Erroneous count in logs for images with multiple scanned entries (Target)

Open fr33ky opened this issue 3 years ago • 0 comments

Hi,

Running estafette-vulnerability-scanner on tag 0.1.15, I noticed for grafana/grafana:7.5.5 a weird warning message:

WRN Image grafana/grafana:7.5.5 has 0 vulnerabilities!

Checking the report via the configmap, correct vulnerabilities are reported (1 High, 2 medium).

Also, for image rancher/klipper-helm:v0.4.3, log message reports:

WRN Image rancher/klipper-helm:v0.4.3 has 14 vulnerabilities!

when configmap states:

"rancher/klipper-helm:v0.4.3": {
  "HIGH": 10,
  "LOW": 2,
  "MEDIUM": 7
},

Running trivy command on my side, I suspect estafette-vulnerability-scanner only cares about the first scanned entry (Target in json), which seems to relate to len(vulnerabilityReports[0].Vulnerabilities) in main.go.

$ trivy --version
Version: 0.18.3
$ trivy --quiet --light --format json grafana/grafana:7.5.5
[
  {
    "Target": "grafana/grafana:7.5.5 (alpine 3.12.7)",
    "Type": "alpine"
  },
  {
    "Target": "usr/share/grafana/bin/grafana-cli",
    "Type": "gobinary"
  },
  {
    "Target": "usr/share/grafana/bin/grafana-server",
    "Type": "gobinary",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2020-13949",
        "PkgName": "github.com/apache/thrift",
        "InstalledVersion": "v0.13.0",
        "FixedVersion": "v0.14.0",
        "Layer": {
          "Digest": "sha256:277b7241bff8e5e3fc20d0484feb9a7413177c532f580c8ac7b10e006b92dfea",
          "DiffID": "sha256:57a125e48e58af770fb0fcf0fa559867e40e527aa98544acbbe64195808b0b7f"
        },
        "SeveritySource": "nvd",
        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-13949",
        "Severity": "HIGH"
      },
      {
        "VulnerabilityID": "CVE-2021-31232",
        "PkgName": "github.com/cortexproject/cortex",
        "InstalledVersion": "v1.4.1-0.20201022071705-85942c5703cf",
        "FixedVersion": "v1.8.1",
        "Layer": {
          "Digest": "sha256:277b7241bff8e5e3fc20d0484feb9a7413177c532f580c8ac7b10e006b92dfea",
          "DiffID": "sha256:57a125e48e58af770fb0fcf0fa559867e40e527aa98544acbbe64195808b0b7f"
        },
        "SeveritySource": "nvd",
        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-31232",
        "Severity": "MEDIUM"
      },
      {
        "VulnerabilityID": "CVE-2019-3826",
        "PkgName": "github.com/prometheus/prometheus",
        "InstalledVersion": "v1.8.2-0.20201105135750-00f16d1ac3a4",
        "FixedVersion": "v2.7.1",
        "Layer": {
          "Digest": "sha256:277b7241bff8e5e3fc20d0484feb9a7413177c532f580c8ac7b10e006b92dfea",
          "DiffID": "sha256:57a125e48e58af770fb0fcf0fa559867e40e527aa98544acbbe64195808b0b7f"
        },
        "SeveritySource": "nvd",
        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3826",
        "Severity": "MEDIUM"
      }
    ]
  }
]

For testing purpose, I also deployed estafette-vulnerability-scanner with tag 0.1.16-main-152, with the same results.

Regards

fr33ky avatar Jun 02 '21 10:06 fr33ky