Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ubuntu): add EOL date for Ubuntu 23.04 #4347

Merged
merged 2 commits into from
May 16, 2023
Merged

fix(ubuntu): add EOL date for Ubuntu 23.04 #4347

merged 2 commits into from
May 16, 2023

Conversation

chrisnovakovic
Copy link
Contributor

@chrisnovakovic chrisnovakovic commented May 12, 2023
edited by knqyf263

Description

Ubuntu 23.04 was released on 2023-04-20 and is supported until January 2024 - see https://wiki.ubuntu.com/Releases.

Although no exact EOL date is given by Canonical, the assumption has been made that support ends nine months from the date of release (i.e. 2024-01-20) rather than the end of the month in which support ends, in line with assumptions made for other Ubuntu releases.

Related issues

Checklist

@chrisnovakovic
fix(ubuntu): add EOL date for Ubuntu 23.04
8730828 
Ubuntu 23.04 was released on 2023-04-20 and is supported until January
2024 - see https://wiki.ubuntu.com/Releases.

Closes aquasecurity#4298.
@chrisnovakovic
Copy link
Contributor Author

Verified manually.

Before (with Trivy 0.41), with a warning about security updates not being provided for this OS:

$ ~/trivy i docker.io/library/ubuntu:23.04 --debug
2023-05-12T16:10:07.492+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-12T16:10:07.499+0100    DEBUG   cache dir:  /home/csn/.cache/trivy
2023-05-12T16:10:07.499+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-05-12T16:10:07.499+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-05-12 12:08:07.502836604 +0000 UTC, NextUpdate: 2023-05-12 18:08:07.502836204 +0000 UTC, DownloadedAt: 2023-05-12 13:00:34.506527185 +0000 UTC
2023-05-12T16:10:07.500+0100    INFO    Vulnerability scanning is enabled
2023-05-12T16:10:07.500+0100    DEBUG   Vulnerability type:  [os library]
2023-05-12T16:10:07.500+0100    INFO    Secret scanning is enabled
2023-05-12T16:10:07.500+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-12T16:10:07.500+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-12T16:10:07.501+0100    DEBUG   No secret config detected: trivy-secret.yaml
2023-05-12T16:10:07.501+0100    DEBUG   Image ID: sha256:0120ea4307c597784895e9f539a67d88239d2c71ebfa830195fa2a650e4f3b5d
2023-05-12T16:10:07.501+0100    DEBUG   Diff IDs: [sha256:196e4094745f93ca7846d3e31b9d2b7b10b5d8d4fe06a755bd4b82b7d58b7660]
2023-05-12T16:10:07.501+0100    DEBUG   Base Layers: []
2023-05-12T16:10:07.502+0100    DEBUG   Missing image ID in cache: sha256:0120ea4307c597784895e9f539a67d88239d2c71ebfa830195fa2a650e4f3b5d
2023-05-12T16:10:07.502+0100    DEBUG   Missing diff ID in cache: sha256:196e4094745f93ca7846d3e31b9d2b7b10b5d8d4fe06a755bd4b82b7d58b7660
2023-05-12T16:10:07.880+0100    DEBUG   Skipping directory: dev
2023-05-12T16:10:07.888+0100    DEBUG   Skipping directory: proc
2023-05-12T16:10:07.889+0100    DEBUG   Skipping directory: sys
2023-05-12T16:10:08.555+0100    DEBUG   No secrets found in container image config
2023-05-12T16:10:08.567+0100    INFO    Detected OS: ubuntu
2023-05-12T16:10:08.567+0100    WARN    This OS version is not on the EOL list: ubuntu 23.04
2023-05-12T16:10:08.567+0100    INFO    Detecting Ubuntu vulnerabilities...
2023-05-12T16:10:08.567+0100    DEBUG   ubuntu: os version: 23.04
2023-05-12T16:10:08.567+0100    DEBUG   ubuntu: the number of packages: 90
2023-05-12T16:10:08.567+0100    INFO    Number of language-specific files: 0
2023-05-12T16:10:08.568+0100    WARN    This OS version is no longer supported by the distribution: ubuntu 23.04
2023-05-12T16:10:08.568+0100    WARN    The vulnerability detection may be insufficient because security updates are not provided

docker.io/library/ubuntu:23.04 (ubuntu 23.04)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

After, with no such warning:

$ go run cmd/trivy/main.go i docker.io/library/ubuntu:23.04 --debug
2023-05-12T16:11:39.836+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-12T16:11:39.851+0100    DEBUG   cache dir:  /home/csn/.cache/trivy
2023-05-12T16:11:39.852+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-05-12T16:11:39.852+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-05-12 12:08:07.502836604 +0000 UTC, NextUpdate: 2023-05-12 18:08:07.502836204 +0000 UTC, DownloadedAt: 2023-05-12 13:00:34.506527185 +0000 UTC
2023-05-12T16:11:39.852+0100    INFO    Vulnerability scanning is enabled
2023-05-12T16:11:39.852+0100    DEBUG   Vulnerability type:  [os library]
2023-05-12T16:11:39.852+0100    INFO    Secret scanning is enabled
2023-05-12T16:11:39.852+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-12T16:11:39.852+0100    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2023-05-12T16:11:39.856+0100    DEBUG   No secret config detected: trivy-secret.yaml
2023-05-12T16:11:39.856+0100    DEBUG   Image ID: sha256:0120ea4307c597784895e9f539a67d88239d2c71ebfa830195fa2a650e4f3b5d
2023-05-12T16:11:39.856+0100    DEBUG   Diff IDs: [sha256:196e4094745f93ca7846d3e31b9d2b7b10b5d8d4fe06a755bd4b82b7d58b7660]
2023-05-12T16:11:39.856+0100    DEBUG   Base Layers: []
2023-05-12T16:11:39.864+0100    INFO    Detected OS: ubuntu
2023-05-12T16:11:39.864+0100    INFO    Detecting Ubuntu vulnerabilities...
2023-05-12T16:11:39.864+0100    DEBUG   ubuntu: os version: 23.04
2023-05-12T16:11:39.864+0100    DEBUG   ubuntu: the number of packages: 90
2023-05-12T16:11:39.864+0100    INFO    Number of language-specific files: 0

docker.io/library/ubuntu:23.04 (ubuntu 23.04)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@knqyf263
Copy link
Collaborator

knqyf263 commented May 14, 2023
edited

Thanks for your contribution!

As I commented here, we also need to update trivy-db.
#4298 (comment)

It would be great if you open a PR in trivy-db and update the version in go.mod in this PR after the PR gets merged.

@chrisnovakovic
Copy link
Contributor Author

Will do!

@chrisnovakovic
Copy link
Contributor Author

chrisnovakovic commented May 15, 2023
edited

Manually verified that the latest prod Trivy DB has the data for Lunar from the Ubuntu CVE Tracker, using an image containing a version of the git package that's vulnerable to three CVEs that were recently fixed in lunar-security:

$ cat Dockerfile.ubuntu-test
FROM ubuntu:23.04

RUN echo "deb http://archive.ubuntu.com/ubuntu/ lunar main restricted" >/etc/apt/sources.list && \
    apt-get update && \
    apt-get install -y git

$ cat Dockerfile.ubuntu-test | docker build -t ubuntu-23.04-gitvuln -
$ docker run -it ubuntu-23.04-gitvuln:latest dpkg-query -W git
git     1:2.39.2-1ubuntu1
$ go run cmd/trivy/main.go i ubuntu-23.04-gitvuln:latest --debug
2023-05-15T22:38:50.443+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-15T22:38:50.450+0100    DEBUG   cache dir:  /home/csn/.cache/trivy
2023-05-15T22:38:50.450+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-05-15T22:38:50.450+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-05-15 18:08:12.492324475 +0000 UTC, NextUpdate: 2023-05-16 00:08:12.492323975 +0000 UTC, DownloadedAt: 2023-05-15 21:38:28.532744346 +0000 UTC
2023-05-15T22:38:50.451+0100    INFO    Vulnerability scanning is enabled
2023-05-15T22:38:50.451+0100    DEBUG   Vulnerability type:  [os library]
2023-05-15T22:38:50.451+0100    INFO    Secret scanning is enabled
2023-05-15T22:38:50.451+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-15T22:38:50.451+0100    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2023-05-15T22:38:50.454+0100    DEBUG   No secret config detected: trivy-secret.yaml
2023-05-15T22:38:50.454+0100    DEBUG   Image ID: sha256:e7dd36bf8fc22620391b1c4c9f7ca012bd432f06cc9c9ceb90155e45f124159a
2023-05-15T22:38:50.454+0100    DEBUG   Diff IDs: [sha256:196e4094745f93ca7846d3e31b9d2b7b10b5d8d4fe06a755bd4b82b7d58b7660 sha256:eb4c086a6b19d0f97203508ed25543af53d8cbe1f1d44d5e6400f8c51c8fbe8c]
2023-05-15T22:38:50.454+0100    DEBUG   Base Layers: [sha256:196e4094745f93ca7846d3e31b9d2b7b10b5d8d4fe06a755bd4b82b7d58b7660]
2023-05-15T22:38:50.459+0100    INFO    Detected OS: ubuntu
2023-05-15T22:38:50.459+0100    INFO    Detecting Ubuntu vulnerabilities...
2023-05-15T22:38:50.459+0100    DEBUG   ubuntu: os version: 23.04
2023-05-15T22:38:50.459+0100    DEBUG   ubuntu: the number of packages: 137
2023-05-15T22:38:50.460+0100    INFO    Number of language-specific files: 0

ubuntu-23.04-gitvuln:latest (ubuntu 23.04)

Total: 26 (UNKNOWN: 0, LOW: 20, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

[...]
├────────────────┼──────────────────┼──────────┼───────────────────────┼─────────────────────┼─────────────────────────────────────────────────────────────┤
│ git            │ CVE-2023-25652   │ MEDIUM   │ 1:2.39.2-1ubuntu1     │ 1:2.39.2-1ubuntu1.1 │ by feeding specially crafted input to `git apply --reject`, │
│                │                  │          │                       │                     │ a path outside...                                           │
│                │                  │          │                       │                     │ https://avd.aquasec.com/nvd/cve-2023-25652                  │
│                ├──────────────────┤          │                       │                     ├─────────────────────────────────────────────────────────────┤
│                │ CVE-2023-25815   │          │                       │                     │ malicious placement of crafted messages when git was        │
│                │                  │          │                       │                     │ compiled with runtime prefix...                             │
│                │                  │          │                       │                     │ https://avd.aquasec.com/nvd/cve-2023-25815                  │
│                ├──────────────────┤          │                       │                     ├─────────────────────────────────────────────────────────────┤
│                │ CVE-2023-29007   │          │                       │                     │ arbitrary configuration injection when renaming or deleting │
│                │                  │          │                       │                     │ a section from a configuration...                           │
│                │                  │          │                       │                     │ https://avd.aquasec.com/nvd/cve-2023-29007                  │
│                ├──────────────────┼──────────┤                       ├─────────────────────┼─────────────────────────────────────────────────────────────┤
[...]

knqyf263
knqyf263 approved these changes May 16, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@knqyf263 knqyf263 merged commit ea5fd75 into aquasecurity:main May 16, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@chrisnovakovic @knqyf263