False positives on Alpine (GNU vs Busybox) #112

AkihiroSuda · 2019-08-09T12:41:40Z

Description

trivy nginx:1.17.2-alpine reports that the image has GNU patch's vulns (CVE-2019-13638, CVE-2018-1000156), but the actual image doesn't seem to contain GNU patch.

$ trivy nginx:1.17.2-alpine@sha256:482ead44b2203fa32b3390abdaf97cbdc8ad15c07fb03a3e68d7c35a19ad7595
2019-08-09T21:34:49.163+0900    INFO    Updating vulnerability database...
2019-08-09T21:34:51.605+0900    INFO    Detecting Alpine vulnerabilities...

nginx:1.17.2-alpine@sha256:482ead44b2203fa32b3390abdaf97cbdc8ad15c07fb03a3e68d7c35a19ad7595 (alpine 3.10.1)
===========================================================================================================
Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

+-----------+------------------+----------+-------------------+---------------+--------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+
| libgcrypt | CVE-2019-12904   | MEDIUM   | 1.8.4-r1          | 1.8.4-r2      | Libgcrypt: physical addresses  |
|           |                  |          |                   |               | being available to other       |
|           |                  |          |                   |               | processes leads to a           |
|           |                  |          |                   |               | flush-and-reload...            |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+
| musl      | CVE-2019-14697   | UNKNOWN  | 1.1.22-r2         | 1.1.22-r3     | musl libc through 1.1.23       |
|           |                  |          |                   |               | has an x87 floating-point      |
|           |                  |          |                   |               | stack adjustment imbalance,    |
|           |                  |          |                   |               | related...                     |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+
| patch     | CVE-2019-13638   | CRITICAL | 2.7.6-r5          | 2.7.6-r6      | patch: OS shell command        |
|           |                  |          |                   |               | injection when processing      |
|           |                  |          |                   |               | crafted patch files            |
+           +------------------+----------+                   +               +--------------------------------+
|           | CVE-2018-1000156 | MEDIUM   |                   |               | patch: Malicious patch files   |
|           |                  |          |                   |               | cause ed to execute arbitrary  |
|           |                  |          |                   |               | commands                       |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+

$ docker run -it --rm nginx:1.17.2-alpine@sha256:482ead44b2203fa32b3390abdaf97cbdc8ad15c07fb03a3e68d7c35a19ad7595 sh
/ # apk info -v
WARNING: Ignoring APKINDEX.00740ba1.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.d8b2a6f4.tar.gz: No such file or directory
musl-1.1.22-r2
busybox-1.30.1-r2
alpine-baselayout-3.1.2-r0
alpine-keys-2.1-r2
libcrypto1.1-1.1.1c-r0
libssl1.1-1.1.1c-r0
ca-certificates-cacert-20190108-r0
libtls-standalone-2.9.1-r0
ssl_client-1.30.1-r2
zlib-1.2.11-r1
apk-tools-2.10.4-r2
scanelf-1.2.3-r0
musl-utils-1.1.22-r2
libc-utils-0.7.1-r0
pcre-8.43-r0
nginx-1.17.2-r1
geoip-1.6.12-r1
nginx-module-geoip-1.17.2-r1
libbz2-1.0.6-r7
libpng-1.6.37-r1
freetype-2.10.0-r0
libjpeg-turbo-2.0.2-r0
libwebp-1.0.2-r0
libgd-2.2.5-r2
nginx-module-image-filter-1.17.2-r1
ncurses-terminfo-base-6.1_p20190518-r0
ncurses-terminfo-6.1_p20190518-r0
ncurses-libs-6.1_p20190518-r0
libedit-20190324.3.1-r0
nginx-module-njs-1.17.2.0.3.3-r1
libgpg-error-1.36-r2
libgcrypt-1.8.4-r1
libxml2-2.9.9-r2
libxslt-1.1.33-r1
nginx-module-xslt-1.17.2-r1
libintl-0.19.8.1-r4
tzdata-2019a-r0
/ # which patch
/usr/bin/patch
/ # ls -l /usr/bin/patch
lrwxrwxrwx    1 root     root            12 Jul 11 17:29 /usr/bin/patch -> /bin/busybox

What did you expect to happen?

GNU patch's vulns should not be reported

What happened instead?

GNU patch's vulns were reported

Output of run with -debug:

$ trivy --debug nginx:1.17.2-alpine@sha256:482ead44b2203fa32b3390abdaf97cbdc8ad15c07fb03a3e68d7c35a19ad7595
2019-08-09T21:39:26.695+0900    DEBUG   cache dir:  /home/suda/.cache/trivy
2019-08-09T21:39:26.695+0900    DEBUG   db path: /home/suda/.cache/trivy/db/trivy.db
2019-08-09T21:39:26.701+0900    INFO    Updating vulnerability database...
2019-08-09T21:39:26.701+0900    DEBUG   git pull
2019-08-09T21:39:27.628+0900    DEBUG   total updated files: 1
2019-08-09T21:39:27.629+0900    DEBUG   Vulnerability type:  [os library]
2019-08-09T21:39:27.681+0900    DEBUG   OS family: alpine, OS version: 3.10.1
2019-08-09T21:39:27.682+0900    DEBUG   the number of packages: 45
2019-08-09T21:39:27.915+0900    DEBUG   the number of packages from commands: 94
2019-08-09T21:39:27.916+0900    DEBUG   the number of packages: 105
2019-08-09T21:39:27.918+0900    INFO    Detecting Alpine vulnerabilities...
2019-08-09T21:39:27.918+0900    DEBUG   alpine: os version: 3.10
2019-08-09T21:39:27.920+0900    DEBUG   alpine: the number of packages: 105

nginx:1.17.2-alpine@sha256:482ead44b2203fa32b3390abdaf97cbdc8ad15c07fb03a3e68d7c35a19ad7595 (alpine 3.10.1)
===========================================================================================================
Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

+-----------+------------------+----------+-------------------+---------------+--------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+
| libgcrypt | CVE-2019-12904   | MEDIUM   | 1.8.4-r1          | 1.8.4-r2      | Libgcrypt: physical addresses  |
|           |                  |          |                   |               | being available to other       |
|           |                  |          |                   |               | processes leads to a           |
|           |                  |          |                   |               | flush-and-reload...            |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+
| musl      | CVE-2019-14697   | UNKNOWN  | 1.1.22-r2         | 1.1.22-r3     | musl libc through 1.1.23       |
|           |                  |          |                   |               | has an x87 floating-point      |
|           |                  |          |                   |               | stack adjustment imbalance,    |
|           |                  |          |                   |               | related...                     |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+
| patch     | CVE-2019-13638   | CRITICAL | 2.7.6-r5          | 2.7.6-r6      | patch: OS shell command        |
|           |                  |          |                   |               | injection when processing      |
|           |                  |          |                   |               | crafted patch files            |
+           +------------------+----------+                   +               +--------------------------------+
|           | CVE-2018-1000156 | MEDIUM   |                   |               | patch: Malicious patch files   |
|           |                  |          |                   |               | cause ed to execute arbitrary  |
|           |                  |          |                   |               | commands                       |
+-----------+------------------+----------+-------------------+---------------+--------------------------------+

Output of trivy -v:

$ trivy -v
trivy version 0.1.4

Additional details (base image name, container registry info...):

Clair doesn't produce these false positives

The text was updated successfully, but these errors were encountered:

knqyf263 · 2019-08-10T04:29:24Z

@AkihiroSuda Thank you for reporting the issue. At least, in the case of Trivy, this detection is intended. This is one of several differences with Clair.

As I said in https://github.com/knqyf263/trivy/issues/74#issuecomment-502366727, Trivy detects the vulnerabilities of packages which are statically linked and removed in that layer. These packages are invisible in the final layer. $ apk info -v | grep patch returns nothing. However, that packages remain in the binary.

In the case of nginx:1.17.2-alpine, the following packages are used to build the nginx binary.
https://github.com/nginxinc/docker-nginx/blob/c817e28dd68b6daa33265a8cb527b1c4cd723b59/mainline/alpine/Dockerfile#L49-L65

After building, these packages are removed in the same layer, so we can't see them in the final layer. (.build-deps is often used)
https://github.com/nginxinc/docker-nginx/blob/c817e28dd68b6daa33265a8cb527b1c4cd723b59/mainline/alpine/Dockerfile#L79

The patch package is installed when alpine-sdk is installed.

/ # apk info -r patch
patch-2.7.6-r6 is required by:
abuild-3.4.0-r0

/ # apk info -r abuild
abuild-3.4.0-r0 is required by:
alpine-sdk-1.0-r0

When we install alpine-sdk, patch is not Busybox but GNU patch.

$ docker run --rm -it alpine:3.10 sh
/ # apk add alpine-sdk
...
/ # which patch
/usr/bin/patch
/ # ls -l /usr/bin/patch
-rwxr-xr-x    1 root     root        161824 Aug  8 07:04 /usr/bin/patch

Therefore, in this image, GNU patch should be used, I think.
https://github.com/nginxinc/docker-nginx/blob/c817e28dd68b6daa33265a8cb527b1c4cd723b59/mainline/alpine/Dockerfile#L64

I think there are two types of packages to be deleted in Dockerfile.

Linked statically (e.g. sqlite-dev, openssl-dev, etc.)
Used when docker build (e.g. gcc, alpine-sdk, etc.)

I think No.1 should be detected, while I wonder whether No.2 should be detected. In addition, if those packages are used in a base image, we have no way to fix them. However, it is true that vulnerable packages are used when building.

Currently, I think it is important that users know vulnerabilities even if those packages are used only when building, so Trivy detects them. As it is also true that this behavior is confusing many users, I may have to add the display to understand easily and the option to ignore these vulnerabilities.

AkihiroSuda · 2019-08-10T04:49:50Z

Thanks for explanation!

knqyf263 · 2019-08-10T05:00:16Z

I added new issue.
https://github.com/knqyf263/trivy/issues/113

* test(integration): move to the test directory * chore: update fixtures path * test: put common test images under the test directory * chore(Makefile): rename * feat: support local filesystem and remote git repository [PART 1] (#109) * feat(walker): add tar/fs walker * fs_test: Add test names Signed-off-by: Simarpreet Singh <simar@linux.com> * walk_test: Add Test_isIgnored Signed-off-by: Simarpreet Singh <simar@linux.com> * feat: support local filesystem and remote git repository [PART 2] (#110) * refactor(analyzer): merge OSAnalyzer, PkgAnalyze, LibAnalyzer into Analyzer * test: comment out temporarily * fix(amazon): check the length * fix(analyzer): make AnalysisResult a reference * library/analyzer: Refactor library analyzer code. Signed-off-by: Simarpreet Singh <simar@linux.com> * feat: support local filesystem and remote git repository [PART 3] (#111) * refactor(image): move directory * feat(applier): add applier * fix(apk): replace extractor with applier * test: comment out temporarily * feat: support local filesystem and remote git repository [PART 4] (#112) * feat(artifact): add image, local and remote artifact * image_test: Rename test field to use new convention Signed-off-by: Simarpreet Singh <simar@linux.com> * image_test: Add a test for put artifact failure Signed-off-by: Simarpreet Singh <simar@linux.com> * refactor(remote): remove unnecessary files for unit test * feat: support local filesystem and remote git repository [PART 5] (#113) * test(integration): fix tests * feat: support local filesystem and remote git repository [PART 6] (#114) * feat(main): add sub commands * refactor(types): remove unused type * chore(mod): update * test(artifact): add mock * fix(analyzer): redhat must be replaced with oracle * fix(analyzer): debian must be replaced with ubuntu * fix(fs): display dir when hostname is empty Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com> * fix: make AnalysisResult a reference Co-authored-by: Simarpreet Singh <simar@linux.com> * refactor(walker): fix comment Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Simarpreet Singh <simar@linux.com>

Rework metadata to be hierarchical

AkihiroSuda added the kind/bug Categorizes issue or PR as related to a bug. label Aug 9, 2019

knqyf263 mentioned this issue Aug 10, 2019

Easy-to-understand display of packages deleted in Dockerfile #113

Open

AkihiroSuda closed this as completed Aug 10, 2019

knqyf263 mentioned this issue Dec 15, 2019

Trivy detects system packages that are not installed #316

Closed

josedonizetti referenced this issue in josedonizetti/trivy Jun 24, 2022

Merge pull request #112 from aquasecurity/liamg-metadata-hierarchies

9c394e8

Rework metadata to be hierarchical

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False positives on Alpine (GNU vs Busybox) #112

False positives on Alpine (GNU vs Busybox) #112

AkihiroSuda commented Aug 9, 2019 •

edited

knqyf263 commented Aug 10, 2019 •

edited

AkihiroSuda commented Aug 10, 2019

knqyf263 commented Aug 10, 2019

False positives on Alpine (GNU vs Busybox) #112

False positives on Alpine (GNU vs Busybox) #112

Comments

AkihiroSuda commented Aug 9, 2019 • edited

knqyf263 commented Aug 10, 2019 • edited

AkihiroSuda commented Aug 10, 2019

knqyf263 commented Aug 10, 2019

AkihiroSuda commented Aug 9, 2019 •

edited

knqyf263 commented Aug 10, 2019 •

edited