Auto Pushed From Action

.github/workflows/trivy_scan.yml

@@ -0,0 +1,30 @@
+name: Trivy_Scan
+
+on:
+  push:
+    branches:
+    - release/*
+  schedule:
+  - cron: "0 */4 * * *"       
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v1    
+    - name: Run trivy scan
+      run: |
+        sh trivy_scan.sh      
+    - name: Push to master
+      uses: tcitry/push-to-master@v1.0
+      with:
+        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+    - name: Upload artifact
+      uses: actions/upload-artifact@v1.0.0
+      with:
+        # Artifact name
+        name: "Trivy_reports"
+        # Directory containing files to upload
+        path: "reports"  

README.md

@@ -0,0 +1,2 @@
+# Introduction
+This repo contains [Trivy](https://github.com/aquasecurity/trivy/) scan reports for some popular docker hub and gcr images. The exact list can be found in this [file](https://github.com/AppThreat/hub_scan/blob/master/image-list.txt). Using a GitHub [action](https://github.com/AppThreat/hub_scan/blob/master/.github/workflows/trivy_scan.yml), scans are performed periodically and the reports get updated in the master branch automatically.

cloudbuild.yaml

@@ -0,0 +1,6 @@
+steps:
+- name: gcr.io/cloud-builders/gsutil
+  args: ['-m', 'cp', 'reports/*.json', 'gs://hub_reports/']
+- name: gcr.io/$PROJECT_ID/bq
+  args: ['load', '--replace', '--ignore_unknown_values', '--autodetect', '--source_format=NEWLINE_DELIMITED_JSON', 'hub_reports.hub_reports', 'gs://hub_reports/full-report.json']
+timeout: 1200s

image-list.txt

@@ -0,0 +1,65 @@
+ubuntu
+busybox
+alpine
+centos
+debian
+amazonlinux
+golang
+openjdk
+ruby
+php
+python
+node
+java
+bash
+perl
+groovy
+jruby
+pypy
+elixir
+erlang
+haxe
+swift
+clojure
+consul
+maven
+sonarqube
+jenkins
+mysql
+postgres
+traefik
+redis
+mongo
+registry
+httpd
+wordpress
+elasticsearch
+ghost
+solr
+joomla
+redmine
+notary
+splunk-enterprise
+filebeat
+metricbeat
+apm-server
+packetbeat
+auditbeat
+splunk-universal-forwarder
+appdynamics
+heartbeat
+gcr.io/cloud-builders/gcloud
+gcr.io/cloud-builders/docker
+gcr.io/cloud-builders/git
+gcr.io/cloud-builders/go
+gcr.io/cloud-builders/gradle
+gcr.io/cloud-builders/mvn
+gcr.io/cloud-builders/kubectl
+gcr.io/cloud-builders/npm
+gcr.io/cloud-builders/curl
+gcr.io/cloud-builders/dotnet
+gcr.io/cloud-builders/git
+gcr.io/cloud-builders/gsutil
+gcr.io/cloud-builders/javac
+gcr.io/cloud-builders/wget
+gcr.io/cloud-builders/yarn

reports/alpine-f.json

@@ -0,0 +1 @@
+{"Target":"alpine (alpine 3.14.2)","Vulnerabilities":[{"VulnerabilityID":"CVE-2020-28928","PkgName":"musl","InstalledVersion":"1.2.2-r3","FixedVersion":"1.2.2_pre2-r0","Description":"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).","Severity":"MEDIUM","References":["http://www.openwall.com/lists/oss-security/2020/11/20/4","https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/","https://musl.libc.org/releases.html"]}]}

reports/bash-f.json

@@ -0,0 +1 @@
+{"Target":"bash (alpine 3.14.2)","Vulnerabilities":[{"VulnerabilityID":"CVE-2021-33560","PkgName":"libgcrypt","InstalledVersion":"1.9.3-r0","FixedVersion":"1.9.4-r0","Title":"libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm","Description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.","Severity":"HIGH","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560","https://dev.gnupg.org/T5305","https://dev.gnupg.org/T5328","https://dev.gnupg.org/T5466","https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61","https://eprint.iacr.org/2021/923","https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL/","https://ubuntu.com/security/notices/USN-5080-1","https://ubuntu.com/security/notices/USN-5080-2"]},{"VulnerabilityID":"CVE-2020-28928","PkgName":"musl","InstalledVersion":"1.2.2-r3","FixedVersion":"1.2.2_pre2-r0","Description":"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).","Severity":"MEDIUM","References":["http://www.openwall.com/lists/oss-security/2020/11/20/4","https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/","https://musl.libc.org/releases.html"]},{"VulnerabilityID":"CVE-2021-3580","PkgName":"nettle","InstalledVersion":"3.7.2-r0","FixedVersion":"3.7.3-r0","Title":"nettle: Remote crash in RSA decryption via manipulated ciphertext","Description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","Severity":"HIGH","References":["https://bugzilla.redhat.com/show_bug.cgi?id=1967983","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3580","https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html","https://ubuntu.com/security/notices/USN-4990-1"]}]}

reports/consul-f.json

@@ -0,0 +1 @@
+{"Target":"consul (alpine 3.13.6)","Vulnerabilities":[{"VulnerabilityID":"CVE-2021-22945","PkgName":"curl","InstalledVersion":"7.78.0-r0","FixedVersion":"7.79.0-r0","Title":"curl: use-after-free and double-free in MQTT sending","Description":"When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.","Severity":"HIGH","References":["https://curl.se/docs/CVE-2021-22945.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945","https://hackerone.com/reports/1269242","https://ubuntu.com/security/notices/USN-5079-1"]},{"VulnerabilityID":"CVE-2021-22946","PkgName":"curl","InstalledVersion":"7.78.0-r0","FixedVersion":"7.79.0-r0","Title":"curl: protocol downgrade required TLS bypassed","Description":"A flaw was found in curl. This flaw lies in the --ssl-reqd option or related settings in libcurl. Users specify this flag to upgrade to TLS when communicating with either IMAP, POP3 or a FTP server. An attacker controlling such servers could return a crafted response which could lead to curl client continue its operation without TLS encryption leading to data being transmitted in clear text over the network. The highest threat from this vulnerability is to data confidentiality.","Severity":"MEDIUM","References":["https://curl.se/docs/CVE-2021-22946.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946","https://ubuntu.com/security/notices/USN-5079-1","https://ubuntu.com/security/notices/USN-5079-2"]},{"VulnerabilityID":"CVE-2021-22947","PkgName":"curl","InstalledVersion":"7.78.0-r0","FixedVersion":"7.79.0-r0","Title":"curl: STARTTLS protocol injection via MITM","Description":"A flaw was found in curl. The flaw lies in how curl handles cached or pipelined responses that it receives from either a IMAP, POP3, SMTP or FTP server before the TLS upgrade using STARTTLS. In such a scenario curl even after upgrading to TLS would trust these cached responses treating them as valid and authenticated and use them. An attacker could potentially use this flaw to carry out a Man-In-The-Middle attack. The highest threat from this vulnerability is to data confidentiality.","Severity":"MEDIUM","References":["https://curl.se/docs/CVE-2021-22947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947","https://launchpad.net/bugs/1944120 (regression bug)","https://ubuntu.com/security/notices/USN-5079-1","https://ubuntu.com/security/notices/USN-5079-2","https://ubuntu.com/security/notices/USN-5079-3","https://ubuntu.com/security/notices/USN-5079-4"]},{"VulnerabilityID":"CVE-2016-4074","PkgName":"jq","InstalledVersion":"1.6-r1","FixedVersion":"1.6_rc1-r0","Title":"jq: stack exhaustion via jv_dump_term() function","Description":"The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jg 1.6_rc1-r0.","Severity":"HIGH","References":["http://www.openwall.com/lists/oss-security/2016/04/24/3","http://www.openwall.com/lists/oss-security/2016/04/24/4","https://github.com/NixOS/nixpkgs/pull/18908","https://github.com/hashicorp/consul/issues/10263","https://github.com/stedolan/jq/","https://github.com/stedolan/jq/issues/1136"]},{"VulnerabilityID":"CVE-2021-40528","PkgName":"libgcrypt","InstalledVersion":"1.8.8-r0","FixedVersion":"1.8.8-r1","Title":"libgcrypt: ElGamal implementation allows plaintext recovery","Description":"The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.","Severity":"MEDIUM","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528","https://eprint.iacr.org/2021/923","https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1","https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2","https://ubuntu.com/security/notices/USN-5080-1","https://ubuntu.com/security/notices/USN-5080-2"]},{"VulnerabilityID":"CVE-2020-28928","PkgName":"musl","InstalledVersion":"1.2.2-r1","FixedVersion":"1.2.2_pre2-r0","Description":"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).","Severity":"MEDIUM","References":["http://www.openwall.com/lists/oss-security/2020/11/20/4","https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/","https://musl.libc.org/releases.html"]},{"VulnerabilityID":"CVE-2021-3580","PkgName":"nettle","InstalledVersion":"3.7.2-r0","FixedVersion":"3.7.3-r0","Title":"nettle: Remote crash in RSA decryption via manipulated ciphertext","Description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","Severity":"HIGH","References":["https://bugzilla.redhat.com/show_bug.cgi?id=1967983","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3580","https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html","https://ubuntu.com/security/notices/USN-4990-1"]}]}

reports/curl-f.json

@@ -0,0 +1 @@
+{"Target":"gcr.io/cloud-builders/curl (ubuntu 16.04)","Vulnerabilities":[{"VulnerabilityID":"CVE-2021-3601","PkgName":"libssl1.0.0","InstalledVersion":"1.0.2g-1ubuntu4.20","Title":"openssl: Certificate with CA:FALSE is accepted as valid CA cert","Description":"A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine.","Severity":"LOW","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3601"]},{"VulnerabilityID":"CVE-2021-3601","PkgName":"openssl","InstalledVersion":"1.0.2g-1ubuntu4.20","Title":"openssl: Certificate with CA:FALSE is accepted as valid CA cert","Description":"A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine.","Severity":"LOW","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3601"]}]}