[Mariner] trivy doesn't detect CVE-2023-5678 for package earlier than where the fix has been first introduced.

[eric-desrochers]

Scanning an image with version of OpenSSL 1.1.1k-27 (which is vulnerable) doesn't report it as so although our OVAL file is correctly set.

Reproducer:

sudo docker run -ti mcr.microsoft.com/cbl-mariner/base/core:2.0.20231130 rpm -qa openssl
openssl-1.1.1k-27.cm2.x86_64

/usr/local/bin/trivy -v
Version: 0.49.0

sudo /usr/local/bin/trivy image  mcr.microsoft.com/cbl-mariner/base/core:2.0.20231130
2024-02-12T16:18:50.997-0500    INFO    Vulnerability scanning is enabled
2024-02-12T16:18:50.997-0500    INFO    Secret scanning is enabled
2024-02-12T16:18:50.997-0500    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-12T16:18:50.997-0500    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-12T16:18:51.003-0500    INFO    Detected OS: cbl-mariner
2024-02-12T16:18:51.004-0500    INFO    Detecting CBL-Mariner vulnerabilities...
2024-02-12T16:18:51.005-0500    INFO    Number of language-specific files: 0

mcr.microsoft.com/cbl-mariner/base/core:2.0.20231130 (cbl-mariner 2.0.20231130)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl        │ CVE-2023-46218 │ MEDIUM   │ fixed  │ 8.3.0-2.cm2       │ 8.5.0-1.cm2   │ curl: information disclosure by exploiting a mixed case flaw │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46218                   │
│             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│             │ CVE-2023-46219 │          │        │                   │               │ curl: excessively long file name may lead to unknown HSTS    │
│             │                │          │        │                   │               │ status                                                       │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46219                   │
├─────────────┼────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│ curl-libs   │ CVE-2023-46218 │          │        │                   │               │ curl: information disclosure by exploiting a mixed case flaw │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46218                   │
│             ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│             │ CVE-2023-46219 │          │        │                   │               │ curl: excessively long file name may lead to unknown HSTS    │
│             │                │          │        │                   │               │ status                                                       │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46219                   │
├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2023-7104  │          │        │ 3.39.2-2.cm2      │ 3.39.2-3.cm2  │ sqlite: heap-buffer-overflow at sessionfuzz                  │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-7104                    │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Our OVAL file:

    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31880" version="1">
      <metadata>
        <title>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28</title>
        <affected family="unix">
          <platform>CBL-Mariner</platform>
        </affected>
        <reference ref_id="CVE-2023-5678" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-5678" source="CVE"/>
        <patchable>true</patchable>
        <advisory_id>31880-1</advisory_id>
        <severity>Medium</severity>
        <description>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available.</description>
      </metadata>
      <criteria operator="AND">
       <criterion comment="Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678" test_ref="oval:com.microsoft.cbl-mariner:tst:31880000"/>
      </criteria>
    </definition>

    <linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:31880002" version="0">
      <linux-def:evr datatype="evr_string" operation="less than">0:1.1.1k-28.cm2</linux-def:evr>
    </linux-def:rpminfo_state>

[DmitriyLewen]

Hello @eric-desrochers
Thanks for your report!

The Mariner database doesn't use OR for criterias. Instead, the database contains two definitions with the same CVE.
e.g. for your case:

<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31880" version="1">
      <metadata>
        <title>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28</title>
        <affected family="unix">
          <platform>CBL-Mariner</platform>
        </affected>
        <reference ref_id="CVE-2023-5678" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-5678" source="CVE"/>
        <patchable>true</patchable>
        <advisory_id>31880-1</advisory_id>
        <severity>Medium</severity>
        <description>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available.</description>
      </metadata>
      <criteria operator="AND">
        <criterion comment="Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678" test_ref="oval:com.microsoft.cbl-mariner:tst:31880000"/>
      </criteria>
    </definition>
    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31872" version="1">
      <metadata>
        <title>CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38</title>
        <affected family="unix">
          <platform>CBL-Mariner</platform>
        </affected>
        <reference ref_id="CVE-2023-5678" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-5678" source="CVE"/>
        <patchable>true</patchable>
        <advisory_id>31872-1</advisory_id>
        <severity>Medium</severity>
        <description>CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38. A patched version of the package is available.</description>
      </metadata>
      <criteria operator="AND">
        <criterion comment="Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678" test_ref="oval:com.microsoft.cbl-mariner:tst:31872000"/>
      </criteria>
    </definition>

In this case, we overwrite advisories for the same CVEs.

[knqyf263]

@eric-desrochers Other vendors have a list of affected packages and versions in criteria. Do you want to get aligned with others? Would you like us to fix it?

@DmitriyLewen Does the OVAL definition allow this case? I think it's allowed, but want to double-check it.

[eric-desrochers]

@knqyf263 I am afraid we won't be able to change our OVAL structure (at least for now) to put all the affected packages under the same definition with multiples criteria using a OR method as it may breaks the way we designed it with other scanning partners.

What are the options available to fix this situation ?
Seems like you have drafted 2 PR to fix it on your end. I would go with that option for now (if possible).

[DmitriyLewen]

@knqyf263 OVAL requires filling in a id - https://github.com/OVALProject/Language/blob/7fa7bba7b48f09decb732d00b2be032a487ff9fc/schemas/oval-definitions-schema.xsd#L213
But there is no information about the uniqueness of id.
So this case is allowed.

[eric-desrochers]

@DmitriyLewen @knqyf263 good day, what is the next course of action for this bug ?

[knqyf263]

You can watch this PR.
aquasecurity/vuln-list-update#271

[knqyf263]

The product team confirmed this change. We'll merge the PR this month.

[eric-desrochers]

Thank you very much

[eric-desrochers]

What version of trivy this fix will be introduce into ?

[knqyf263]

Trivy DB has a different release cycle from Trivy. Once the PR gets merged, it will be distributed within 6 hours.

[DmitriyLewen]

trivy-db already contains CVE-2023-5678 for openssl and edk2:

[knqyf263]

@eric-desrochers FYI ^

[eric-desrochers]

Thanks a bunch