Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alpine binary packages are not matched to source vulnerabilities #1540

Closed
Kieran-Muller opened this issue Mar 24, 2022 · 5 comments
Closed

Alpine binary packages are not matched to source vulnerabilities #1540

Kieran-Muller opened this issue Mar 24, 2022 · 5 comments

Comments

@Kieran-Muller
Copy link

Description of Problem / Feature Request

I'm using a vulnerable version of Alpine (3.10.2) which uses a vulnerable version of lybcrypto1.1 as a subpackage of the openssl package.

Expected Outcome

I would expect the package lybcrypto1.1 to be listed in the vulnerabilities and openssl to be listed in the packages.

Actual Outcome

The lybcrypto1.1 package appears as such in the report.

 "1974606": {
        "id": "1974606",
        "name": "libcrypto1.1",
        "version": "1.1.1c-r0",
        "kind": "binary",
        "source": {
          "id": "1974605",
          "name": "openssl",
          "version": "1.1.1c-r0",
          "kind": "source"
        },
        "arch": "x86_64"
      },

However, there is no entry for openssl in the report.

Taking a look at the database, it would seem that there is only vulnerability data on binary packages for Alpine.

SELECT * FROM public.vuln WHERE dist_id='alpine' AND package_kind='source'

This query returned 0 results.

When looking for the CVE `` for Alpine, there are results in the database, but the package_kind is `binary`.

SELECT * FROM public.vuln WHERE dist_id='alpine' AND name='CVE-2019-1549'

This did return results for openssl and openssl3 however the package_kind is binary.

It would seem that it is a somewhat similar problem to what was found with Debian in this issue: #1270

Environment

  • Clair version/image: 4.4.0
  • Clair client name/version:
  • Host OS: UBI 8
  • Kernel (e.g. uname -a):
  • Kubernetes version (use kubectl version): 1.20
  • Network/Firewall setup:
@crozzy
Copy link
Collaborator

crozzy commented May 10, 2022 

  "vulnerabilities": {
    "4300623": {
      "id": "4300623",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-30139",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30139",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "apk-tools",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "2.10.6-r0"
    },
    "4300624": {
      "id": "4300624",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-36159",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36159",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "apk-tools",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "2.10.7-r0"
    },
    "4300690": {
      "id": "4300690",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-28831",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "busybox",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.30.1-r5"
    },
    "4301319": {
      "id": "4301319",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2020-28928",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "musl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.22-r4"
    },
    "4301417": {
      "id": "4301417",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2019-1547",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1d-r0"
    },
    "4301418": {
      "id": "4301418",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2019-1549",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1d-r0"
    },
    "4301419": {
      "id": "4301419",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2019-1563",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1d-r0"
    },
    "4301420": {
      "id": "4301420",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2019-1551",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1d-r2"
    },
    "4301421": {
      "id": "4301421",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2020-1967",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1g-r0"
    },
    "4301422": {
      "id": "4301422",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2020-1971",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1i-r0"
    },
    "4301423": {
      "id": "4301423",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-23841",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1j-r0"
    },
    "4301424": {
      "id": "4301424",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-23840",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1j-r0"
    },
    "4301425": {
      "id": "4301425",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-23839",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23839",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1j-r0"
    },
    "4301426": {
      "id": "4301426",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-3449",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1k-r0"
    },
    "4301427": {
      "id": "4301427",
      "updater": "alpine-main-v3.10-updater",
      "name": "CVE-2021-3450",
      "description": "",
      "issued": "0001-01-01T00:00:00Z",
      "links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450",
      "severity": "",
      "normalized_severity": "Unknown",
      "package": {
        "id": "",
        "name": "openssl",
        "version": "",
        "kind": "source",
        "normalized_version": "",
        "cpe": ""
      },
      "distribution": {
        "id": "",
        "did": "alpine",
        "name": "Alpine Linux",
        "version": "",
        "version_code_name": "",
        "version_id": "3.10",
        "arch": "",
        "cpe": "",
        "pretty_name": "Alpine Linux v3.10"
      },
      "repository": {
        "cpe": ""
      },
      "fixed_in_version": "1.1.1k-r0"
    }
  },

The following are results for the container assuming the vulnerabilities reported in alpine feeds are all source vulnerabilities (and ingesting them accordingly). Still need to do some validation on how alpine is reporting these (@kaniini seems to have some insight into how the alpine feed is generated).

@crozzy
Copy link
Collaborator

crozzy commented May 10, 2022 

/ # wget https://secdb.alpinelinux.org/v3.10/main.json
/ # for i in $(cat main.json | jq .packages[].pkg.name | xargs echo | sed 's/ /\n/g'); do cat /lib/apk/db/installed | grep o:$i$; done
o:apk-tools
o:busybox
o:busybox #P:ssl_client
o:jq
o:musl
o:musl #P:musl-utils
o:oniguruma
o:openssl #P:libcrypto1.1
o:openssl #P:libssl1.1
/ # for i in $(cat main.json | jq .packages[].pkg.name | xargs echo | sed 's/ /\n/g'); do cat /lib/apk/db/installed | grep P:$i$; done
P:apk-tools
P:busybox
P:jq
P:musl
P:oniguruma

This is how the hit-rate would potentially change with a fresh alpine:3.10.2 (with jq installed), this feels right so far.

@kaniini
Copy link

kaniini commented May 11, 2022

@crozzy your assumptions are correct as usual, clair should match against the origin fields!

@paulaldridge
Copy link
Contributor

Nice @crozzy, we were considering this as well - seems like the Alpine updater should store vulnerabilities as source packages, rather than binary as it currently does, and that would resolve this issue

@crozzy crozzy mentioned this issue May 18, 2022
Merged
@hdonnay
Copy link
Member

hdonnay commented Jun 16, 2022

I think this is fixed with the linked PR.

@hdonnay hdonnay closed this as completed Jun 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@hdonnay @crozzy @kaniini @paulaldridge @Kieran-Muller