Skip to content

CVE-2022-29526 #7

Closed
Closed
CVE-2022-29526#7
@4x0v7

Description

@4x0v7
4x0v7
opened on Nov 17, 2022

I am building a minimal base image FROM cgr.dev/chainguard/static:latest

I download the latest preflight binary and copy it into the container.
When I scanned my build container I see one CVE reported by Trivy

I don't know too much about golang, but maybe the dependencies just need an update to pull in the fixed package?

Scanned with aquasec/trivy:0.34.0

cgpf:latest (alpine 3.16)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/preflight (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬───────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                     Title                     │
├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM   │ v0.0.0-20210228012217-479acdf4ea46 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│                  │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526    │
└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴───────────────────────────────────────────────┘

Here is the Dockerfile I am creating

FROM cgr.dev/chainguard/alpine-base:latest AS preflight_builder
ARG PREFLIGHT_VERSION=1.1.4
ADD https://github.com/SpectralOps/preflight/releases/download/v${PREFLIGHT_VERSION}/preflight_${PREFLIGHT_VERSION}_Linux_x86_64.tar.gz /tools/
ADD https://github.com/SpectralOps/preflight/releases/download/v${PREFLIGHT_VERSION}/checksums.txt /tools/
WORKDIR /tools
RUN cat checksums.txt | grep preflight_${PREFLIGHT_VERSION}_Linux_x86_64.tar.gz | sha256sum -c -
RUN tar -xzf preflight_${PREFLIGHT_VERSION}_Linux_x86_64.tar.gz preflight -C /usr/bin
RUN preflight version

FROM cgr.dev/chainguard/static:latest
COPY --from=preflight_builder /usr/bin/preflight /usr/bin/
ENTRYPOINT [ "/usr/bin/preflight" ]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions