Skip to content
This repository has been archived by the owner on Apr 24, 2024. It is now read-only.

Trivy scans are reporting issues in gosu #46

Closed
dermot-hardy opened this issue Sep 2, 2022 · 3 comments · Fixed by #51 or #60
Closed

Trivy scans are reporting issues in gosu #46

dermot-hardy opened this issue Sep 2, 2022 · 3 comments · Fixed by #51 or #60
Assignees
@dermot-hardy

Comments

@dermot-hardy
Copy link
Member

dermot-hardy commented Sep 2, 2022
edited

The base image includes the latest 1.14 version of gosu, but Trivy is reporting a number of issues against it:

usr/local/bin/gosu (gobinary)
=============================
Total: 5 (UNKNOWN: 1, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162      │ HIGH     │ v1.0.1                             │ v1.1.2                            │ runc: incorrect handling of inheritable capabilities         │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29162                   │
│                                ├─────────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2021-43784      │ MEDIUM   │                                    │ 1.1.0                             │ runc: integer overflow in netlink bytemsg length field       │
│                                │                     │          │                                    │                                   │ allows attacker to override...                               │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-43784                   │
│                                ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-24769      │          │                                    │ v1.1.2                            │ moby: Default inheritable capabilities for linux container   │
│                                │                     │          │                                    │                                   │ should be empty                                              │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-24769                   │
│                                ├─────────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ GHSA-v95c-p5hm-xq8f │ UNKNOWN  │                                    │ 1.1.0                             │ An attacker with partial control over the bind mount sources │
│                                │                     │          │                                    │                                   │ of a...                                                      │
│                                │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-v95c-p5hm-xq8f            │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys               │ CVE-2022-29526      │ MEDIUM   │ v0.0.0-20210817142637-7d9622a276b7 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                                │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

It is clear from tianon/gosu#104 that 4 of the 5 (i.e. CVE-2022-29162, CVE-2021-43784, GHSA-v95c-p5hm-xq8f, and CVE-2022-29526) are false positives. CVE-2022-24769 is less clear to me.
@hoshposh
Copy link

Just wanted to do a nudge on this. The latest release of gosu is 1.16 and they continue to fix runc vulnerabilities.

@dermot-hardy dermot-hardy self-assigned this Apr 25, 2023
@michael-bryson
Copy link
Member

Octane ticket #688001 created to update Gosu to the latest.

@dermot-hardy dermot-hardy linked a pull request May 5, 2023 that will close this issue
US688001: Update GOSU to latest #51
Merged
@dermot-hardy dermot-hardy reopened this May 11, 2023
@dermot-hardy
Copy link
Member Author

Re-opening this because the upgrade has helped but there are still issues.

@dermot-hardy dermot-hardy linked a pull request Nov 9, 2023 that will close this issue
US857046: Update gosu to 1.17 #60
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dermot-hardy dermot-hardy

Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@hoshposh @dermot-hardy @michael-bryson @markmccallion28