-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
name: Trivy_Scan | ||
|
||
on: | ||
push: | ||
branches: | ||
- release/* | ||
schedule: | ||
- cron: "0 */4 * * *" | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v1 | ||
- name: Run trivy scan | ||
run: | | ||
sh trivy_scan.sh | ||
- name: Push to master | ||
uses: tcitry/push-to-master@v1.0 | ||
with: | ||
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | ||
- name: Upload artifact | ||
uses: actions/upload-artifact@v1.0.0 | ||
with: | ||
# Artifact name | ||
name: "Trivy_reports" | ||
# Directory containing files to upload | ||
path: "reports" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Introduction | ||
This repo contains [Trivy](https://github.com/aquasecurity/trivy/) scan reports for some popular docker hub and gcr images. The exact list can be found in this [file](https://github.com/AppThreat/hub_scan/blob/master/image-list.txt). Using a GitHub [action](https://github.com/AppThreat/hub_scan/blob/master/.github/workflows/trivy_scan.yml), scans are performed periodically and the reports get updated in the master branch automatically. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
steps: | ||
- name: gcr.io/cloud-builders/gsutil | ||
args: ['-m', 'cp', 'reports/*.json', 'gs://hub_reports/'] | ||
- name: gcr.io/$PROJECT_ID/bq | ||
args: ['load', '--replace', '--ignore_unknown_values', '--autodetect', '--source_format=NEWLINE_DELIMITED_JSON', 'hub_reports.hub_reports', 'gs://hub_reports/full-report.json'] | ||
timeout: 1200s |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
ubuntu | ||
busybox | ||
alpine | ||
centos | ||
debian | ||
amazonlinux | ||
golang | ||
openjdk | ||
ruby | ||
php | ||
python | ||
node | ||
java | ||
bash | ||
perl | ||
groovy | ||
jruby | ||
pypy | ||
elixir | ||
erlang | ||
haxe | ||
swift | ||
clojure | ||
consul | ||
maven | ||
sonarqube | ||
jenkins | ||
mysql | ||
postgres | ||
traefik | ||
redis | ||
mongo | ||
registry | ||
httpd | ||
wordpress | ||
elasticsearch | ||
ghost | ||
solr | ||
joomla | ||
redmine | ||
notary | ||
splunk-enterprise | ||
filebeat | ||
metricbeat | ||
apm-server | ||
packetbeat | ||
auditbeat | ||
splunk-universal-forwarder | ||
appdynamics | ||
heartbeat | ||
gcr.io/cloud-builders/gcloud | ||
gcr.io/cloud-builders/docker | ||
gcr.io/cloud-builders/git | ||
gcr.io/cloud-builders/go | ||
gcr.io/cloud-builders/gradle | ||
gcr.io/cloud-builders/mvn | ||
gcr.io/cloud-builders/kubectl | ||
gcr.io/cloud-builders/npm | ||
gcr.io/cloud-builders/curl | ||
gcr.io/cloud-builders/dotnet | ||
gcr.io/cloud-builders/git | ||
gcr.io/cloud-builders/gsutil | ||
gcr.io/cloud-builders/javac | ||
gcr.io/cloud-builders/wget | ||
gcr.io/cloud-builders/yarn |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"Target":"alpine (alpine 3.14.2)","Vulnerabilities":[{"VulnerabilityID":"CVE-2020-28928","PkgName":"musl","InstalledVersion":"1.2.2-r3","FixedVersion":"1.2.2_pre2-r0","Description":"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).","Severity":"MEDIUM","References":["http://www.openwall.com/lists/oss-security/2020/11/20/4","https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/","https://musl.libc.org/releases.html"]}]} |
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"Target":"bash (alpine 3.14.2)","Vulnerabilities":[{"VulnerabilityID":"CVE-2021-33560","PkgName":"libgcrypt","InstalledVersion":"1.9.3-r0","FixedVersion":"1.9.4-r0","Title":"libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm","Description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.","Severity":"HIGH","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560","https://dev.gnupg.org/T5305","https://dev.gnupg.org/T5328","https://dev.gnupg.org/T5466","https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61","https://eprint.iacr.org/2021/923","https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL/","https://ubuntu.com/security/notices/USN-5080-1","https://ubuntu.com/security/notices/USN-5080-2"]},{"VulnerabilityID":"CVE-2020-28928","PkgName":"musl","InstalledVersion":"1.2.2-r3","FixedVersion":"1.2.2_pre2-r0","Description":"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).","Severity":"MEDIUM","References":["http://www.openwall.com/lists/oss-security/2020/11/20/4","https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/","https://musl.libc.org/releases.html"]},{"VulnerabilityID":"CVE-2021-3580","PkgName":"nettle","InstalledVersion":"3.7.2-r0","FixedVersion":"3.7.3-r0","Title":"nettle: Remote crash in RSA decryption via manipulated ciphertext","Description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","Severity":"HIGH","References":["https://bugzilla.redhat.com/show_bug.cgi?id=1967983","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3580","https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html","https://ubuntu.com/security/notices/USN-4990-1"]}]} |
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"Target":"consul (alpine 3.13.6)","Vulnerabilities":[{"VulnerabilityID":"CVE-2021-22945","PkgName":"curl","InstalledVersion":"7.78.0-r0","FixedVersion":"7.79.0-r0","Title":"curl: use-after-free and double-free in MQTT sending","Description":"When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.","Severity":"HIGH","References":["https://curl.se/docs/CVE-2021-22945.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945","https://hackerone.com/reports/1269242","https://ubuntu.com/security/notices/USN-5079-1"]},{"VulnerabilityID":"CVE-2021-22946","PkgName":"curl","InstalledVersion":"7.78.0-r0","FixedVersion":"7.79.0-r0","Title":"curl: protocol downgrade required TLS bypassed","Description":"A flaw was found in curl. This flaw lies in the --ssl-reqd option or related settings in libcurl. Users specify this flag to upgrade to TLS when communicating with either IMAP, POP3 or a FTP server. An attacker controlling such servers could return a crafted response which could lead to curl client continue its operation without TLS encryption leading to data being transmitted in clear text over the network. The highest threat from this vulnerability is to data confidentiality.","Severity":"MEDIUM","References":["https://curl.se/docs/CVE-2021-22946.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946","https://ubuntu.com/security/notices/USN-5079-1","https://ubuntu.com/security/notices/USN-5079-2"]},{"VulnerabilityID":"CVE-2021-22947","PkgName":"curl","InstalledVersion":"7.78.0-r0","FixedVersion":"7.79.0-r0","Title":"curl: STARTTLS protocol injection via MITM","Description":"A flaw was found in curl. The flaw lies in how curl handles cached or pipelined responses that it receives from either a IMAP, POP3, SMTP or FTP server before the TLS upgrade using STARTTLS. In such a scenario curl even after upgrading to TLS would trust these cached responses treating them as valid and authenticated and use them. An attacker could potentially use this flaw to carry out a Man-In-The-Middle attack. The highest threat from this vulnerability is to data confidentiality.","Severity":"MEDIUM","References":["https://curl.se/docs/CVE-2021-22947.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947","https://launchpad.net/bugs/1944120 (regression bug)","https://ubuntu.com/security/notices/USN-5079-1","https://ubuntu.com/security/notices/USN-5079-2","https://ubuntu.com/security/notices/USN-5079-3","https://ubuntu.com/security/notices/USN-5079-4"]},{"VulnerabilityID":"CVE-2016-4074","PkgName":"jq","InstalledVersion":"1.6-r1","FixedVersion":"1.6_rc1-r0","Title":"jq: stack exhaustion via jv_dump_term() function","Description":"The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jg 1.6_rc1-r0.","Severity":"HIGH","References":["http://www.openwall.com/lists/oss-security/2016/04/24/3","http://www.openwall.com/lists/oss-security/2016/04/24/4","https://github.com/NixOS/nixpkgs/pull/18908","https://github.com/hashicorp/consul/issues/10263","https://github.com/stedolan/jq/","https://github.com/stedolan/jq/issues/1136"]},{"VulnerabilityID":"CVE-2021-40528","PkgName":"libgcrypt","InstalledVersion":"1.8.8-r0","FixedVersion":"1.8.8-r1","Title":"libgcrypt: ElGamal implementation allows plaintext recovery","Description":"The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.","Severity":"MEDIUM","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528","https://eprint.iacr.org/2021/923","https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1","https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2","https://ubuntu.com/security/notices/USN-5080-1","https://ubuntu.com/security/notices/USN-5080-2"]},{"VulnerabilityID":"CVE-2020-28928","PkgName":"musl","InstalledVersion":"1.2.2-r1","FixedVersion":"1.2.2_pre2-r0","Description":"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).","Severity":"MEDIUM","References":["http://www.openwall.com/lists/oss-security/2020/11/20/4","https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E","https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/","https://musl.libc.org/releases.html"]},{"VulnerabilityID":"CVE-2021-3580","PkgName":"nettle","InstalledVersion":"3.7.2-r0","FixedVersion":"3.7.3-r0","Title":"nettle: Remote crash in RSA decryption via manipulated ciphertext","Description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","Severity":"HIGH","References":["https://bugzilla.redhat.com/show_bug.cgi?id=1967983","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3580","https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html","https://ubuntu.com/security/notices/USN-4990-1"]}]} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{"Target":"gcr.io/cloud-builders/curl (ubuntu 16.04)","Vulnerabilities":[{"VulnerabilityID":"CVE-2021-3601","PkgName":"libssl1.0.0","InstalledVersion":"1.0.2g-1ubuntu4.20","Title":"openssl: Certificate with CA:FALSE is accepted as valid CA cert","Description":"A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine.","Severity":"LOW","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3601"]},{"VulnerabilityID":"CVE-2021-3601","PkgName":"openssl","InstalledVersion":"1.0.2g-1ubuntu4.20","Title":"openssl: Certificate with CA:FALSE is accepted as valid CA cert","Description":"A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine.","Severity":"LOW","References":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3601"]}]} |
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.
Large diffs are not rendered by default.