Add container security audit? #6
Labels
A-build
Area: CI build infrastructure.
A-security
Area: Security vulnerabilities and unsoundness issues.
Comments
|
Sounds good. I've typically named workflows of this shape into an "audit" GitHub Actions workflow so it can be set to run periodically as well as on PRs + master pushes. See https://github.com/artichoke/artichoke/blob/6648914ecc5687b9b8187b0f06b19d4fa749f462/.github/workflows/audit.yaml for an example |
|
@lopopolo Shouldn't we make it a part of the image workflow though? I'm thinking of the scenario if we have a critical vulnerability in the image - we would want to gate the push in that case, no? Or are you thinking of something else here? |
|
Oh I see. Isn't it likely that many past nightly builds will also be vulnerable to the same defects? What value is there in blocking nightlies only once a vuln has been discovered? |
lopopolo
added
the
A-security
|
There is, of course, a scenario where there would be a vulnerability that affects all the images in the past, but I think there's value in not letting out nightlies if we managed to introduce one (e.g. building on a new target that ends up insecure, adding a runtime dep that's insecure, etc.) Or do you think the benefit is marginal? (which is fair) |
|
Oh I see. Gating builds on detected vulns is kinda like being a good citizen and not spewing out more vulnerable software. In that case, this seems like a good build step to add 🙂 |
|
I took a peek at this, and it looks like this is not practical to run in CI. This is the results of running $ trivy image artichokeruby/artichoke
2021-10-02T10:31:59.203-0700 INFO Detected OS: ubuntu
2021-10-02T10:31:59.203-0700 INFO Detecting Ubuntu vulnerabilities...
2021-10-02T10:31:59.204-0700 INFO Number of language-specific files: 0
artichokeruby/artichoke (ubuntu 20.04)
======================================
Total: 22 (UNKNOWN: 0, LOW: 22, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
| bash | CVE-2019-18276 | LOW | 5.0-6ubuntu1.1 | | bash: when effective UID is not |
| | | | | | equal to its real UID the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-18276 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| coreutils | CVE-2016-2781 | | 8.30-3ubuntu2 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| libc-bin | CVE-2016-10228 | | 2.31-0ubuntu9.2 | | glibc: iconv program can hang |
| | | | | | when invoked with the -c option |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-25013 | | | | glibc: buffer over-read in |
| | | | | | iconv when processing invalid |
| | | | | | multi-byte input sequences in... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-27618 | | | | glibc: iconv when processing |
| | | | | | invalid multi-byte input |
| | | | | | sequences fails to advance the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-29562 | | | | glibc: assertion failure in iconv |
| | | | | | when converting invalid UCS4 |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29562 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-6096 | | | | glibc: signed comparison |
| | | | | | vulnerability in the |
| | | | | | ARMv7 memcpy function |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-27645 | | | | glibc: Use-after-free in |
| | | | | | addgetnetgrentX function |
| | | | | | in netgroupcache.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-3326 | | | | glibc: Assertion failure in |
| | | | | | ISO-2022-JP-3 gconv module |
| | | | | | related to combining characters |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 |
+------------+------------------+ + +---------------+-----------------------------------------+
| libc6 | CVE-2016-10228 | | | | glibc: iconv program can hang |
| | | | | | when invoked with the -c option |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-25013 | | | | glibc: buffer over-read in |
| | | | | | iconv when processing invalid |
| | | | | | multi-byte input sequences in... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-27618 | | | | glibc: iconv when processing |
| | | | | | invalid multi-byte input |
| | | | | | sequences fails to advance the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-29562 | | | | glibc: assertion failure in iconv |
| | | | | | when converting invalid UCS4 |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29562 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-6096 | | | | glibc: signed comparison |
| | | | | | vulnerability in the |
| | | | | | ARMv7 memcpy function |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-27645 | | | | glibc: Use-after-free in |
| | | | | | addgetnetgrentX function |
| | | | | | in netgroupcache.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-3326 | | | | glibc: Assertion failure in |
| | | | | | ISO-2022-JP-3 gconv module |
| | | | | | related to combining characters |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| libpcre3 | CVE-2017-11164 | | 2:8.39-12build1 | | pcre: OP_KETRMAX feature in the |
| | | | | | match function in pcre_exec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-11164 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-20838 | | | | pcre: buffer over-read in |
| | | | | | JIT when UTF is disabled |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20838 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-14155 | | | | pcre: integer overflow in libpcre |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-14155 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| libtasn1-6 | CVE-2018-1000654 | | 4.16.0-2 | | libtasn1: Infinite loop in |
| | | | | | _asn1_expand_object_id(ptree) |
| | | | | | leads to memory exhaustion |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| login | CVE-2013-4235 | | 1:4.8.1-1ubuntu5.20.04.1 | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 |
+------------+ + + +---------------+ +
| passwd | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
$ trivy image artichokeruby/artichoke:alpine-nightly
2021-10-02T10:32:43.308-0700 INFO Detected OS: alpine
2021-10-02T10:32:43.308-0700 INFO Detecting Alpine vulnerabilities...
2021-10-02T10:32:43.309-0700 INFO Number of language-specific files: 0
artichokeruby/artichoke:alpine-nightly (alpine 3.14.2)
======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
$ trivy image artichokeruby/artichoke:slim-nightly
2021-10-02T10:32:51.869-0700 INFO Detected OS: debian
2021-10-02T10:32:51.870-0700 INFO Detecting Debian vulnerabilities...
2021-10-02T10:32:51.880-0700 INFO Number of language-specific files: 0
artichokeruby/artichoke:slim-nightly (debian 11.0)
==================================================
Total: 65 (UNKNOWN: 0, LOW: 12, MEDIUM: 27, HIGH: 22, CRITICAL: 4)
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| coreutils | CVE-2016-2781 | MEDIUM | 8.32-4 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-18018 | | | | coreutils: race condition |
| | | | | | vulnerability in chown and chgrp |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libapt-pkg6.0 | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libc-bin | CVE-2019-1010022 | CRITICAL | 2.31-13 | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-33574 | | | | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20796 | HIGH | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2010-4051 | MEDIUM | | | CVE-2010-4052 glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4051 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
| | | | | | glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4052 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4756 | | | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libc6 | CVE-2019-1010022 | CRITICAL | | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-33574 | | | | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20796 | HIGH | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2010-4051 | MEDIUM | | | CVE-2010-4052 glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4051 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
| | | | | | glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4052 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4756 | | | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libgcrypt20 | CVE-2018-6829 | HIGH | 1.8.7-6 | | libgcrypt: ElGamal implementation |
| | | | | | doesn't have semantic security due |
| | | | | | to incorrectly encoded plaintexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-6829 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-40528 | MEDIUM | | | libgcrypt: ElGamal implementation |
| | | | | | allows plaintext recovery |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libgnutls30 | CVE-2011-3389 | | 3.7.1-5 | | HTTPS: block-wise chosen-plaintext |
| | | | | | attack against SSL/TLS (BEAST) |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3389 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libgssapi-krb5-2 | CVE-2018-5709 | HIGH | 1.18.3-6 | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libk5crypto3 | CVE-2018-5709 | HIGH | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libkrb5-3 | CVE-2018-5709 | HIGH | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libkrb5support0 | CVE-2018-5709 | HIGH | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libpcre3 | CVE-2017-11164 | HIGH | 2:8.39-13 | | pcre: OP_KETRMAX feature in the |
| | | | | | match function in pcre_exec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-11164 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-7245 | | | | pcre: stack-based buffer overflow |
| | | | | | write in pcre32_copy_substring |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7245 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-7246 | | | | pcre: stack-based buffer overflow |
| | | | | | write in pcre32_copy_substring |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7246 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-20838 | | | | pcre: buffer over-read in |
| | | | | | JIT when UTF is disabled |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20838 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2017-16231 | MEDIUM | | | pcre: self-recursive call |
| | | | | | in match() in pcre_exec.c |
| | | | | | leads to denial of service... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-16231 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libsepol1 | CVE-2021-36084 | LOW | 3.1-1 | | libsepol: use-after-free in |
| | | | | | __cil_verify_classperms() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36084 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-36085 | | | | libsepol: use-after-free in |
| | | | | | __cil_verify_classperms() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36085 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-36086 | | | | libsepol: use-after-free in |
| | | | | | cil_reset_classpermission() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36086 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-36087 | | | | libsepol: heap-based buffer |
| | | | | | overflow in ebitmap_match_any() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36087 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libssl1.1 | CVE-2007-6755 | MEDIUM | 1.1.1k-1+deb11u1 | | Dual_EC_DRBG: weak pseudo |
| | | | | | random number generator |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-6755 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-0928 | | | | openssl: RSA authentication weakness |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-0928 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libsystemd0 | CVE-2020-13529 | | 247.3-6 | | systemd: DHCP FORCERENEW |
| | | | | | authentication not implemented |
| | | | | | can cause a system running the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13529 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition |
| | | | | | when updating file permissions |
| | | | | | and SELinux security contexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4392 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libtinfo6 | CVE-2021-39537 | HIGH | 6.2+20201114-2 | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libudev1 | CVE-2020-13529 | MEDIUM | 247.3-6 | | systemd: DHCP FORCERENEW |
| | | | | | authentication not implemented |
| | | | | | can cause a system running the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13529 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition |
| | | | | | when updating file permissions |
| | | | | | and SELinux security contexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4392 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| login | CVE-2019-19882 | HIGH | 1:4.8.1-1 | | shadow-utils: local users can |
| | | | | | obtain root access because setuid |
| | | | | | programs are misconfigured... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2007-5686 | MEDIUM | | | initscripts in rPath Linux 1 |
| | | | | | sets insecure permissions for |
| | | | | | the /var/log/btmp file,... |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2013-4235 | | | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| ncurses-base | CVE-2021-39537 | HIGH | 6.2+20201114-2 | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+------------------+ + + +---------------+ +
| ncurses-bin | | | | | |
| | | | | | |
| | | | | | |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| passwd | CVE-2019-19882 | | 1:4.8.1-1 | | shadow-utils: local users can |
| | | | | | obtain root access because setuid |
| | | | | | programs are misconfigured... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2007-5686 | MEDIUM | | | initscripts in rPath Linux 1 |
| | | | | | sets insecure permissions for |
| | | | | | the /var/log/btmp file,... |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2013-4235 | | | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| perl-base | CVE-2011-4116 | HIGH | 5.32.1-4+deb11u1 | | perl: File::Temp insecure |
| | | | | | temporary file handling |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-4116 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| tar | CVE-2005-2541 | | 1.34+dfsg-1 | | tar: does not properly warn the user |
| | | | | | when extracting setuid or setgid... |
| | | | | | -->avd.aquasec.com/nvd/cve-2005-2541 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+ |
|
@lopopolo FWIW this is not about all vulnerabilities. Usually one sets CI to Thanks again for this awesome project ❤️ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm thinking of adding a container security audit to the CI process, e.g.: https://github.com/aquasecurity/trivy
WDYT?
The text was updated successfully, but these errors were encountered: