Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistencies between standard and light database (re: CVE-2021-44228) #1453

Closed
pablogalegoc opened this issue Dec 10, 2021 · 13 comments · Fixed by #1458
Closed

Inconsistencies between standard and light database (re: CVE-2021-44228) #1453

pablogalegoc opened this issue Dec 10, 2021 · 13 comments · Fixed by #1458
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@pablogalegoc
Copy link

Description

When running a Trivy scan with a freshly downloaded standard database, the latest log4j CVE (CVE-2021-44228) is reported, while running the same command with --light, again with a freshly downloaded database, fails to report it.

❯ trivy image --ignore-unfixed --severity CRITICAL bitnami/keycloak:15.0.2-debian-10-r106
2021-12-10T16:41:35.313+0100	INFO	Need to update DB
2021-12-10T16:41:35.313+0100	INFO	Downloading DB...
25.18 MiB / 25.18 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.12 MiB p/s 23s
2021-12-10T16:42:02.498+0100	INFO	Detected OS: debian
2021-12-10T16:42:02.498+0100	INFO	Detecting Debian vulnerabilities...
2021-12-10T16:42:02.509+0100	INFO	Number of language-specific files: 3
2021-12-10T16:42:02.509+0100	INFO	Detecting gobinary vulnerabilities...
2021-12-10T16:42:02.509+0100	INFO	Detecting jar vulnerabilities...

bitnami/keycloak:15.0.2-debian-10-r106 (debian 10.11)
=====================================================
Total: 0 (CRITICAL: 0)


Java (jar)
==========
Total: 2 (CRITICAL: 2)

+--------------------------------------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|                              LIBRARY                               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------------------------------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer | CVE-2021-42575   | CRITICAL |        20191001.1 |    20211018.1 | owasp-java-html-sanitizer:            |
|                                                                    |                  |          |                   |               | improper policies enforcement         |
|                                                                    |                  |          |                   |               | may lead to remote code execution     |
|                                                                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42575 |
+--------------------------------------------------------------------+------------------+          +-------------------+---------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api                                 | CVE-2021-44228   |          | 2.14.0            | 2.15.0        | Remote code injection in Log4j        |
|                                                                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-44228 |
+--------------------------------------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+


❯ trivy image --ignore-unfixed --severity CRITICAL --light bitnami/keycloak:15.0.2-debian-10-r106
2021-12-10T16:42:24.231+0100	INFO	Need to update DB
2021-12-10T16:42:24.232+0100	INFO	Downloading DB...
6.86 MiB / 6.86 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.20 MiB p/s 6s
2021-12-10T16:42:34.359+0100	INFO	Detected OS: debian
2021-12-10T16:42:34.359+0100	INFO	Detecting Debian vulnerabilities...
2021-12-10T16:42:34.373+0100	INFO	Number of language-specific files: 3
2021-12-10T16:42:34.373+0100	INFO	Detecting gobinary vulnerabilities...
2021-12-10T16:42:34.373+0100	INFO	Detecting jar vulnerabilities...

bitnami/keycloak:15.0.2-debian-10-r106 (debian 10.11)
=====================================================
Total: 0 (CRITICAL: 0)


Java (jar)
==========
Total: 1 (CRITICAL: 1)

+--------------------------------------------------------------------+------------------+----------+-------------------+---------------+
|                              LIBRARY                               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
+--------------------------------------------------------------------+------------------+----------+-------------------+---------------+
| com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer | CVE-2021-42575   | CRITICAL |        20191001.1 |    20211018.1 |
+--------------------------------------------------------------------+------------------+----------+-------------------+---------------+

What did you expect to happen?

Outputs from standard and light databases report the same vulnerabilities.

What happened instead?

Output from standard database is inconsistent with the report of the light database. Standard database seems more updated.

Output of run with -debug:

❯ trivy --debug image --ignore-unfixed --severity CRITICAL bitnami/keycloak:15.0.2-debian-10-r106
2021-12-10T16:42:53.053+0100	DEBUG	Severities: CRITICAL
2021-12-10T16:42:53.092+0100	DEBUG	cache dir:  /Users/pgalego/Library/Caches/trivy
2021-12-10T16:42:53.093+0100	INFO	Need to update DB
2021-12-10T16:42:53.093+0100	INFO	Downloading DB...
2021-12-10T16:42:53.633+0100	DEBUG	release name: v1-2021121012
2021-12-10T16:42:53.634+0100	DEBUG	asset name: trivy-light-offline.db.tgz
2021-12-10T16:42:53.634+0100	DEBUG	file name doesn't match
2021-12-10T16:42:53.634+0100	DEBUG	asset name: trivy-light.db.gz
2021-12-10T16:42:53.634+0100	DEBUG	file name doesn't match
2021-12-10T16:42:53.634+0100	DEBUG	asset name: trivy-offline.db.tgz
2021-12-10T16:42:53.634+0100	DEBUG	file name doesn't match
2021-12-10T16:42:53.634+0100	DEBUG	asset name: trivy.db.gz
2021-12-10T16:42:53.718+0100	DEBUG	asset URL: https://objects.githubusercontent.com/github-production-release-asset-2e65be/216830441/38ffe72f-cbb4-4a54-84ba-4bff56f5e8d3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211210T154136Z&X-Amz-Expires=300&X-Amz-Signature=e258e22925198f257efd3197c10f58b1a033cf406fafd57755a425ab1a9781df&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
25.18 MiB / 25.18 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.11 MiB p/s 23s
2021-12-10T16:43:17.043+0100	DEBUG	Updating database metadata...
2021-12-10T16:43:17.044+0100	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2021-12-10 12:45:24.11848591 +0000 UTC, NextUpdate: 2021-12-10 18:45:24.11848561 +0000 UTC, DownloadedAt: 2021-12-10 15:43:17.043569 +0000 UTC
2021-12-10T16:43:17.044+0100	DEBUG	Vulnerability type:  [os library]
2021-12-10T16:43:19.960+0100	DEBUG	Image ID: sha256:1b6f1757096f3f855ad256ca9f6e6194a096af9814d744c7845eef4f42d3f8c4
2021-12-10T16:43:19.960+0100	DEBUG	Diff IDs: [sha256:62f5b6ce404b36b8c0b137330650ab42b816424b9e7ad041c2ca657779f723eb sha256:a7684c3e25c2515e64c9f3477344a919af40a8d67403f903797f9353da8b41a6 sha256:39e5f51350eb9e826906d7a051e0fc7837668195291af12f4339326442f4f343 sha256:d39d69decea79a55b3b922af933a0df6a70f3fe50f3698400f80c05c067bc0b5 sha256:0bcc44981a8e2e50f245552e6034a58b081bfefcc7c91587c7eb0e359ed2c19c sha256:be0b79108ecd95906de0eec9a1480cbffa37ed6dd8ab791896e205111341a09d sha256:17617ddbea5171e68c3dde4a8a69a8d8c099255a2ad7db9cee731a310e883d51 sha256:544bb31ee091bc8b909b64e0d49dd10d0f3d5989c9f083c8ca189ddcc41e1561 sha256:424de26469c532dce36608a733790661f65994b896f2da2edbba2b4bc358fe69 sha256:c3f2cb39ff09a44b864aa43ea274ad8efb07c6978582bc7bee5c3660a75c7421]
2021-12-10T16:43:19.972+0100	INFO	Detected OS: debian
2021-12-10T16:43:19.972+0100	INFO	Detecting Debian vulnerabilities...
2021-12-10T16:43:19.972+0100	DEBUG	debian: os version: 10
2021-12-10T16:43:19.972+0100	DEBUG	debian: the number of packages: 109
2021-12-10T16:43:19.983+0100	INFO	Number of language-specific files: 3
2021-12-10T16:43:19.983+0100	INFO	Detecting gobinary vulnerabilities...
2021-12-10T16:43:19.983+0100	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/bitnami/common/bin/wait-for-port
2021-12-10T16:43:19.983+0100	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/bitnami/common/bin/gosu
2021-12-10T16:43:19.983+0100	INFO	Detecting jar vulnerabilities...
2021-12-10T16:43:19.983+0100	DEBUG	Detecting library vulnerabilities, type: jar, path:

❯ trivy --debug image --ignore-unfixed --severity CRITICAL --light bitnami/keycloak:15.0.2-debian-10-r106
2021-12-10T16:43:40.360+0100	DEBUG	Severities: CRITICAL
2021-12-10T16:43:40.399+0100	DEBUG	cache dir:  /Users/pgalego/Library/Caches/trivy
2021-12-10T16:43:40.399+0100	INFO	Need to update DB
2021-12-10T16:43:40.400+0100	INFO	Downloading DB...
2021-12-10T16:43:40.956+0100	DEBUG	release name: v1-2021121012
2021-12-10T16:43:40.956+0100	DEBUG	asset name: trivy-light-offline.db.tgz
2021-12-10T16:43:40.956+0100	DEBUG	file name doesn't match
2021-12-10T16:43:40.956+0100	DEBUG	asset name: trivy-light.db.gz
2021-12-10T16:43:41.029+0100	DEBUG	asset URL: https://objects.githubusercontent.com/github-production-release-asset-2e65be/216830441/1e24b240-aa24-4b8e-b623-c77bc757fa77?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211210T154235Z&X-Amz-Expires=300&X-Amz-Signature=3101f0b0724de8ada73723fccd5060abac53066fd4e42b8412dc6379a52d5f81&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy-light.db.gz&response-content-type=application%2Foctet-stream
6.86 MiB / 6.86 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.23 MiB p/s 6s
2021-12-10T16:43:47.399+0100	DEBUG	Updating database metadata...
2021-12-10T16:43:47.399+0100	DEBUG	DB Schema: 1, Type: 2, UpdatedAt: 2021-12-10 12:50:08.898808385 +0000 UTC, NextUpdate: 2021-12-10 18:50:08.898808085 +0000 UTC, DownloadedAt: 2021-12-10 15:43:47.399327 +0000 UTC
2021-12-10T16:43:47.399+0100	DEBUG	Vulnerability type:  [os library]
2021-12-10T16:43:50.237+0100	DEBUG	Image ID: sha256:1b6f1757096f3f855ad256ca9f6e6194a096af9814d744c7845eef4f42d3f8c4
2021-12-10T16:43:50.237+0100	DEBUG	Diff IDs: [sha256:62f5b6ce404b36b8c0b137330650ab42b816424b9e7ad041c2ca657779f723eb sha256:a7684c3e25c2515e64c9f3477344a919af40a8d67403f903797f9353da8b41a6 sha256:39e5f51350eb9e826906d7a051e0fc7837668195291af12f4339326442f4f343 sha256:d39d69decea79a55b3b922af933a0df6a70f3fe50f3698400f80c05c067bc0b5 sha256:0bcc44981a8e2e50f245552e6034a58b081bfefcc7c91587c7eb0e359ed2c19c sha256:be0b79108ecd95906de0eec9a1480cbffa37ed6dd8ab791896e205111341a09d sha256:17617ddbea5171e68c3dde4a8a69a8d8c099255a2ad7db9cee731a310e883d51 sha256:544bb31ee091bc8b909b64e0d49dd10d0f3d5989c9f083c8ca189ddcc41e1561 sha256:424de26469c532dce36608a733790661f65994b896f2da2edbba2b4bc358fe69 sha256:c3f2cb39ff09a44b864aa43ea274ad8efb07c6978582bc7bee5c3660a75c7421]
2021-12-10T16:43:50.250+0100	INFO	Detected OS: debian
2021-12-10T16:43:50.250+0100	INFO	Detecting Debian vulnerabilities...
2021-12-10T16:43:50.250+0100	DEBUG	debian: os version: 10
2021-12-10T16:43:50.250+0100	DEBUG	debian: the number of packages: 109
2021-12-10T16:43:50.263+0100	INFO	Number of language-specific files: 3
2021-12-10T16:43:50.263+0100	INFO	Detecting gobinary vulnerabilities...
2021-12-10T16:43:50.263+0100	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/bitnami/common/bin/wait-for-port
2021-12-10T16:43:50.263+0100	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/bitnami/common/bin/gosu
2021-12-10T16:43:50.263+0100	INFO	Detecting jar vulnerabilities...
2021-12-10T16:43:50.263+0100	DEBUG	Detecting library vulnerabilities, type: jar, path:

Output of trivy -v:

❯ trivy -v
Version: 0.20.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2021-12-10 12:45:24.11848591 +0000 UTC
  NextUpdate: 2021-12-10 18:45:24.11848561 +0000 UTC
  DownloadedAt: 2021-12-10 15:35:22.443732 +0000 UTC

Additional details (base image name, container registry info...):

Base image: bitnami/keycloak:15.0.2-debian-10-r106
Container registry: Dockerhub
@pablogalegoc pablogalegoc added the kind/bug Categorizes issue or PR as related to a bug. label Dec 10, 2021
@mih-kopylov
Copy link

Happens for me as well.

The interesting thing - both light and standard databases have CVE-2021-44228 inside, but for some reason with --light option trivy doesn't react.

@mih-kopylov
Copy link

mih-kopylov commented Dec 10, 2021
edited

Another thing - according to https://nvd.nist.gov/vuln/detail/CVE-2021-44228 the log4j-api isn't affected, it's only log4j-core that is.
https://issues.apache.org/jira/browse/LOG4J2-3201?focusedCommentId=17456962&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17456962
The log4j devs confirm that.

I'm not sure where does the information about log4j-api comes to database, could it be verified?

@carrodher
Copy link

Now it's being reported separately, but log4j-api is still appearing:

  • Elasticsearch image:
$ trivy image --ignore-unfixed --severity CRITICAL bitnami/elasticsearch
2021-12-11T19:51:11.390Z	INFO	Detected OS: debian
2021-12-11T19:51:11.390Z	INFO	Detecting Debian vulnerabilities...
2021-12-11T19:51:11.416Z	INFO	Number of language-specific files: 3
2021-12-11T19:51:11.416Z	INFO	Detecting gobinary vulnerabilities...
2021-12-11T19:51:11.416Z	INFO	Detecting jar vulnerabilities...

Java (jar)
==========
Total: 2 (CRITICAL: 2)

+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|               LIBRARY               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api  | CVE-2021-44228   | CRITICAL | 2.11.1            | 2.15.0        | log4j-core: Remote code execution     |
|                                     |                  |          |                   |               | in Log4j 2.x when logs contain        |
|                                     |                  |          |                   |               | an attacker-controlled...             |
|                                     |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-44228 |
+-------------------------------------+                  +          +                   +               +                                       +
| org.apache.logging.log4j:log4j-core |                  |          |                   |               |                                       |
|                                     |                  |          |                   |               |                                       |
|                                     |                  |          |                   |               |                                       |
|                                     |                  |          |                   |               |                                       |
+-------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
  • Keycloak image:
$ trivy image --ignore-unfixed --severity CRITICAL bitnami/keycloak
2021-12-11T19:52:43.479Z	INFO	Detected OS: debian
2021-12-11T19:52:43.479Z	INFO	Detecting Debian vulnerabilities...
2021-12-11T19:52:43.491Z	INFO	Number of language-specific files: 3
2021-12-11T19:52:43.491Z	INFO	Detecting gobinary vulnerabilities...
2021-12-11T19:52:43.491Z	INFO	Detecting jar vulnerabilities...

Java (jar)
==========
Total: 1 (CRITICAL: 1)

+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|              LIBRARY               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.apache.logging.log4j:log4j-api | CVE-2021-44228   | CRITICAL | 2.14.0            | 2.15.0        | log4j-core: Remote code execution     |
|                                    |                  |          |                   |               | in Log4j 2.x when logs contain        |
|                                    |                  |          |                   |               | an attacker-controlled...             |
|                                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-44228 |
+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+

@knqyf263
Copy link
Collaborator

knqyf263 commented Dec 12, 2021
edited

@mih-kopylov @carrodher Thanks for reporting the issue! Trivy depends on GitHub Security Advisory (GHSA) and it includes log4j-api.
GHSA-jfh8-c2jp-5v3q

image

Could you report the issue to GHSA like this?
https://github.community/t/a-problem-with-cve-2021-27568-of-github-security-advisories/215169

@knqyf263
Copy link
Collaborator

@pablogalegoc Thank you for filing an issue. Please let me look into the issue. Meanwhile, use Trivy without --light. Also, --light will be deprecated.
aquasecurity/trivy-db#160

@mih-kopylov
Copy link

https://github.community/t/cve-2021-44228-advisory/217105

Done

@afdesk
Copy link
Contributor

afdesk commented Dec 12, 2021

@pablogalegoc thanks for your report!
I could reproduce this issue and will investigate it.

@recena
Copy link

recena commented Dec 12, 2021

@knqyf263 If the light version of the DB is planned to be removed, my suggestion is to point it out in the documentation side.

@knqyf263
Copy link
Collaborator

@recena Not ready yet. Once we finish preparation, We'll announce it.

afdesk added a commit to afdesk/trivy that referenced this issue Dec 12, 2021
@afdesk
fix: filling a vulnerability severity
e036966 
if the vulnerability doesn't contain a known vendor severity,
`trivy` will set up a severity from the first vendor.


fixes aquasecurity#1453
@afdesk afdesk mentioned this issue Dec 12, 2021
Merged
@recena
Copy link

recena commented Dec 12, 2021

@knqyf263 But you plan to do it, the community should be aware of it.

@knqyf263
Copy link
Collaborator

knqyf263 commented Dec 15, 2021
edited

@recena No, I don't think so. We will announce enough period for the migration. It will confuse users to announce it before we are not ready. We have not yet decided when and how it will be deprecated at all.

@jonny-wg2
Copy link

@knqyf263 does Trivy get it's data from any other sources? Can't find reference to this in docs.

@knqyf263
Copy link
Collaborator

Are you talking about data sources?
https://aquasecurity.github.io/trivy/v0.21.3/vulnerability/detection/data-source/

@knqyf263 knqyf263 mentioned this issue Dec 21, 2021
Closed
@mih-kopylov mih-kopylov mentioned this issue Mar 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: set up a vulnerability severity afdesk/trivy
7 participants
@pablogalegoc @recena @knqyf263 @mih-kopylov @carrodher @afdesk @jonny-wg2