Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unkown Github Vulnerability Id GMS-2022-20 #2034

Closed
mayrstefan opened this issue Apr 24, 2022 · 5 comments
Closed

Unkown Github Vulnerability Id GMS-2022-20 #2034

mayrstefan opened this issue Apr 24, 2022 · 5 comments
Assignees
@DmitriyLewen
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@mayrstefan
Copy link
Contributor

Description

Looking at the findings of #2033 we see GMS-2022-20 reported as a vulnerability id. This seems to be an unkown format.

What did you expect to happen?

I expected an id to be reported that I can find on the internet.

What happened instead?

Instead I found GHSA-qq97-vm5h-rrhg which seems to be the reported vulnerability but has a different id.
Also this vulnerability has already a CVE assigned. I'm not sure which id should be reported in that case.

Output of trivy -v:

$ docker run --rm ghcr.io/aquasecurity/trivy -v
Version: 0.26.0

Additional details (base image name, container registry info...):

Fun fact: the JSON output contains an URL using the correct id:

$ docker run --rm ghcr.io/aquasecurity/trivy image --no-progress --format json "ghcr.io/aquasecurity/trivy:latest";
2022-04-24T08:14:59.569Z        INFO    Need to update DB
2022-04-24T08:14:59.569Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-24T08:14:59.569Z        INFO    Downloading DB...
2022-04-24T08:15:15.234Z        INFO    Detected OS: alpine
2022-04-24T08:15:15.234Z        INFO    Detecting Alpine vulnerabilities...
2022-04-24T08:15:15.236Z        INFO    Number of language-specific files: 1
2022-04-24T08:15:15.237Z        INFO    Detecting gobinary vulnerabilities...
{
  "SchemaVersion": 2,
  "ArtifactName": "ghcr.io/aquasecurity/trivy:latest",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.15.4"
    },
    "ImageID": "sha256:3d3fe4d90c2648d406fb42e25bedcd8beafb1d5750f731fcb38dc506ff91c428",
    "DiffIDs": [
      "sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628",
      "sha256:6f205b10b84baad10e15534d8ecb58c3cef7b93361dd946140fb5ab1eee2334f",
      "sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278",
      "sha256:76d354fed9826ed2afca61922e3343243cda023939d255740a8a654db1e72561"
    ],
    "RepoTags": [
      "ghcr.io/aquasecurity/trivy:latest"
    ],
    "RepoDigests": [
      "ghcr.io/aquasecurity/trivy@sha256:0b3962fc8ce69ebbba9ae719cc54f53ccf9e523a54373f6719d01dc7fbd47517"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2022-04-15T21:40:11.61701653Z",
      "history": [
        {
          "created": "2022-04-05T00:19:59.790636867Z",
          "created_by": "/bin/sh -c #(nop) ADD file:5d673d25da3a14ce1f6cf66e4c7fd4f4b85a3759a9d93efb3fd9ff852b5b56e4 in / "
        },
        {
          "created": "2022-04-05T00:19:59.912662499Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        },
        {
          "created": "2022-04-15T21:40:11.34401628Z",
          "created_by": "RUN /bin/sh -c apk --no-cache add ca-certificates git # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-15T21:40:11.60053656Z",
          "created_by": "COPY trivy /usr/local/bin/trivy # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-15T21:40:11.61701653Z",
          "created_by": "COPY contrib/*.tpl contrib/ # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2022-04-15T21:40:11.61701653Z",
          "created_by": "ENTRYPOINT [\"trivy\"]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628",
          "sha256:6f205b10b84baad10e15534d8ecb58c3cef7b93361dd946140fb5ab1eee2334f",
          "sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278",
          "sha256:76d354fed9826ed2afca61922e3343243cda023939d255740a8a654db1e72561"
        ]
      },
      "config": {
        "Entrypoint": [
          "trivy"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        ],
        "Labels": {
          "org.opencontainers.image.created": "2022-04-15T21:25:39Z",
          "org.opencontainers.image.description": "A Fast Vulnerability Scanner for Containers",
          "org.opencontainers.image.documentation": "https://aquasecurity.github.io/trivy/v0.26.0/",
          "org.opencontainers.image.revision": "a0047a7983b4b598f27706391cd6f89a63450653",
          "org.opencontainers.image.source": "https://github.com/aquasecurity/trivy",
          "org.opencontainers.image.title": "trivy",
          "org.opencontainers.image.url": "https://www.aquasec.com/products/trivy/",
          "org.opencontainers.image.vendor": "Aqua Security",
          "org.opencontainers.image.version": "0.26.0"
        }
      }
    }
  },
  "Results": [
    {
      "Target": "ghcr.io/aquasecurity/trivy:latest (alpine 3.15.4)",
      "Class": "os-pkgs",
      "Type": "alpine"
    },
    {
      "Target": "usr/local/bin/trivy",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "GMS-2022-20",
          "PkgName": "github.com/docker/distribution",
          "InstalledVersion": "v2.7.1+incompatible",
          "FixedVersion": "v2.8.0",
          "Layer": {
            "Digest": "sha256:b4ece3d4aa62cc36c31b3dbafe4d79af9a25f2a3a11daa052bbeea21aed25de9",
            "DiffID": "sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278"
          },
          "DataSource": {
            "ID": "glad",
            "Name": "GitLab Advisory Database Community",
            "URL": "https://gitlab.com/gitlab-org/advisories-community"
          },
          "Title": "OCI Manifest Type Confusion Issue",
          "Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
          "Severity": "UNKNOWN",
          "References": [
            "https://github.com/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586",
            "https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg",
            "https://github.com/opencontainers/image-spec/pull/411"
          ]
        },
        {
          "VulnerabilityID": "CVE-2022-27191",
          "PkgName": "golang.org/x/crypto",
          "InstalledVersion": "v0.0.0-20220208233918-bba287dce954",
          "FixedVersion": "0.0.0-20220315160706-3147a52a75dd",
          "Layer": {
            "Digest": "sha256:b4ece3d4aa62cc36c31b3dbafe4d79af9a25f2a3a11daa052bbeea21aed25de9",
            "DiffID": "sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191",
          "DataSource": {
            "ID": "glad",
            "Name": "GitLab Advisory Database Community",
            "URL": "https://gitlab.com/gitlab-org/advisories-community"
          },
          "Title": "golang: crash in a golang.org/x/crypto/ssh server",
          "Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-327"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V2Score": 4.3,
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2022-27191",
            "https://github.com/advisories/GHSA-8c26-wmh5-6g9v",
            "https://groups.google.com/g/golang-announce",
            "https://groups.google.com/g/golang-announce/c/-cp44ypCT5s",
            "https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-27191"
          ],
          "PublishedDate": "2022-03-18T07:15:00Z",
          "LastModifiedDate": "2022-04-21T23:15:00Z"
        }
      ]
    }
  ]
}

looking at:

      "Vulnerabilities": [
        {
          "VulnerabilityID": "GMS-2022-20",
...
         "References": [
            "https://github.com/advisories/GHSA-qq97-vm5h-rrhg",
@mayrstefan mayrstefan added the kind/bug Categorizes issue or PR as related to a bug. label Apr 24, 2022
@mayrstefan
Copy link
Contributor Author

I think I would prefer to have the CVE (if one exists) reported because CVE-2021-41190 affects multiple projects and I have found three Github Security Advisories that reference the CVE so far.

@mayrstefan
Copy link
Contributor Author

Okay, I've found GMS-2022-20. But this seems to be more like an internal id of Gitlab Advisory Database and nothing public. Also, this YAML includes the original id of the Github advisory which should be shown in trivy instead of the Gitlab id:

---
identifier: "GMS-2022-20"
identifiers:
- "GHSA-qq97-vm5h-rrhg"
- "GMS-2022-20"

@mayrstefan
Copy link
Contributor Author

More deep diving into the details:

Gitlab Source seems to be https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-qq97-vm5h-rrhg/GHSA-qq97-vm5h-rrhg.json which I would say is the source for GHSA-qq97-vm5h-rrhg

But the origin seems be GHSA-qq97-vm5h-rrhg directly from the repository maintainers - which is the most current version and also has the CVE reference. But so far I can not find a machine readable format of this one

@DmitriyLewen
Copy link
Contributor

Hello @mayrstefan
Thank you for such an informative report!

We will add logic to select advisory id.

Regards, Dmitriy

@DmitriyLewen DmitriyLewen added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Apr 26, 2022
@mayrstefan mayrstefan mentioned this issue Apr 26, 2022
Open
@yogeshlonkar yogeshlonkar mentioned this issue May 6, 2022
Merged
@msharbaji msharbaji mentioned this issue May 6, 2022
Closed
@afdesk
Copy link
Contributor

afdesk commented May 31, 2022

we did some changes in trivy-db: now it prefers Github IDs (GHSA-...) instead of GMS identifiers.
aquasecurity/vuln-list-update#158

it should resolve this issue.

@afdesk afdesk closed this as completed May 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mayrstefan @afdesk @DmitriyLewen