bpipe
bpipe copied to clipboard
ssadedin
Significant number of critical vulnerabilities reported in dependencies
Running trivy against version 0.9.1 reports 25 critical vulnerabilities in dependent libraries used by bpipe.
For example:
- CVE-2017-17485 https://avd.aquasec.com/nvd/cve-2017-17485
- CVE-2016-6809 https://avd.aquasec.com/nvd/cve-2016-6809
Would it be possible to update com.fasterxml.jackson.core:jackson-databind and org.apache.tika:tika-core?
thanks @slagelwa - I will see if there is any reason these dependencies were pinned and what we need to do to update them.
@slagelwa - any chance you could share the actual command line / configuration you are running with trivy? Will be helpful to check the problem is resolved.
Sorry I must have missed the notice on this earlier on this. We're running trivy as part of our CI/CD and the security issues come up on a docker image that we're building for mintie. I can't get you the docker image at the moment, but this is the basic Dockerfile:
FROM mambaorg/micromamba
RUN micromamba install -n base -y -c conda-forge -c bioconda \
mintie==0.3.9 \
&& micromamba clean --all --yes
There are a couple of ways to run trivy against either the image or within a running container. The options we're using are essentially --no-progress --timeout 10m -s CRITICAL --security-checks vuln.
I also reproduced the following trivy report by starting with an official Ubuntu 22.04 container. I cloned the bpipe repo, built it (somewhat unsuccessfully I'm afraid as some unit tests failed), and then installed and ran trivy:
$ git clone https://github.com/ssadedin/bpipe.git
$ cd bpipe/
$ git checkout 0.9.11
$ ./gradlew build
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3
$ trivy fs --no-progress --timeout 10m -s CRITICAL --security-checks vuln -f json -o report.json .