New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positives on Alpine (GNU vs Busybox) #112
Comments
@AkihiroSuda Thank you for reporting the issue. At least, in the case of Trivy, this detection is intended. This is one of several differences with Clair. As I said in https://github.com/knqyf263/trivy/issues/74#issuecomment-502366727, Trivy detects the vulnerabilities of packages which are statically linked and removed in that layer. These packages are invisible in the final layer. In the case of After building, these packages are removed in the same layer, so we can't see them in the final layer. ( The
When we install
Therefore, in this image, GNU patch should be used, I think. I think there are two types of packages to be deleted in Dockerfile.
I think No.1 should be detected, while I wonder whether No.2 should be detected. In addition, if those packages are used in a base image, we have no way to fix them. However, it is true that vulnerable packages are used when building. Currently, I think it is important that users know vulnerabilities even if those packages are used only when building, so Trivy detects them. As it is also true that this behavior is confusing many users, I may have to add the display to understand easily and the option to ignore these vulnerabilities. |
Thanks for explanation! |
I added new issue. |
* test(integration): move to the test directory * chore: update fixtures path * test: put common test images under the test directory * chore(Makefile): rename * feat: support local filesystem and remote git repository [PART 1] (#109) * feat(walker): add tar/fs walker * fs_test: Add test names Signed-off-by: Simarpreet Singh <simar@linux.com> * walk_test: Add Test_isIgnored Signed-off-by: Simarpreet Singh <simar@linux.com> * feat: support local filesystem and remote git repository [PART 2] (#110) * refactor(analyzer): merge OSAnalyzer, PkgAnalyze, LibAnalyzer into Analyzer * test: comment out temporarily * fix(amazon): check the length * fix(analyzer): make AnalysisResult a reference * library/analyzer: Refactor library analyzer code. Signed-off-by: Simarpreet Singh <simar@linux.com> * feat: support local filesystem and remote git repository [PART 3] (#111) * refactor(image): move directory * feat(applier): add applier * fix(apk): replace extractor with applier * test: comment out temporarily * feat: support local filesystem and remote git repository [PART 4] (#112) * feat(artifact): add image, local and remote artifact * image_test: Rename test field to use new convention Signed-off-by: Simarpreet Singh <simar@linux.com> * image_test: Add a test for put artifact failure Signed-off-by: Simarpreet Singh <simar@linux.com> * refactor(remote): remove unnecessary files for unit test * feat: support local filesystem and remote git repository [PART 5] (#113) * test(integration): fix tests * feat: support local filesystem and remote git repository [PART 6] (#114) * feat(main): add sub commands * refactor(types): remove unused type * chore(mod): update * test(artifact): add mock * fix(analyzer): redhat must be replaced with oracle * fix(analyzer): debian must be replaced with ubuntu * fix(fs): display dir when hostname is empty Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com> * fix: make AnalysisResult a reference Co-authored-by: Simarpreet Singh <simar@linux.com> * refactor(walker): fix comment Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com>
* test(integration): move to the test directory * chore: update fixtures path * test: put common test images under the test directory * chore(Makefile): rename * feat: support local filesystem and remote git repository [PART 1] (#109) * feat(walker): add tar/fs walker * fs_test: Add test names Signed-off-by: Simarpreet Singh <simar@linux.com> * walk_test: Add Test_isIgnored Signed-off-by: Simarpreet Singh <simar@linux.com> * feat: support local filesystem and remote git repository [PART 2] (#110) * refactor(analyzer): merge OSAnalyzer, PkgAnalyze, LibAnalyzer into Analyzer * test: comment out temporarily * fix(amazon): check the length * fix(analyzer): make AnalysisResult a reference * library/analyzer: Refactor library analyzer code. Signed-off-by: Simarpreet Singh <simar@linux.com> * feat: support local filesystem and remote git repository [PART 3] (#111) * refactor(image): move directory * feat(applier): add applier * fix(apk): replace extractor with applier * test: comment out temporarily * feat: support local filesystem and remote git repository [PART 4] (#112) * feat(artifact): add image, local and remote artifact * image_test: Rename test field to use new convention Signed-off-by: Simarpreet Singh <simar@linux.com> * image_test: Add a test for put artifact failure Signed-off-by: Simarpreet Singh <simar@linux.com> * refactor(remote): remove unnecessary files for unit test * feat: support local filesystem and remote git repository [PART 5] (#113) * test(integration): fix tests * feat: support local filesystem and remote git repository [PART 6] (#114) * feat(main): add sub commands * refactor(types): remove unused type * chore(mod): update * test(artifact): add mock * fix(analyzer): redhat must be replaced with oracle * fix(analyzer): debian must be replaced with ubuntu * fix(fs): display dir when hostname is empty Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com> * fix: make AnalysisResult a reference Co-authored-by: Simarpreet Singh <simar@linux.com> * refactor(walker): fix comment Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com>
Rework metadata to be hierarchical
Description
trivy nginx:1.17.2-alpine
reports that the image has GNU patch's vulns (CVE-2019-13638, CVE-2018-1000156), but the actual image doesn't seem to contain GNU patch.What did you expect to happen?
GNU patch's vulns should not be reported
What happened instead?
GNU patch's vulns were reported
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
Clair doesn't produce these false positives
The text was updated successfully, but these errors were encountered: