-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alpine binary packages are not matched to source vulnerabilities #1540
Comments
"vulnerabilities": {
"4300623": {
"id": "4300623",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-30139",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30139",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "apk-tools",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "2.10.6-r0"
},
"4300624": {
"id": "4300624",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-36159",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36159",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "apk-tools",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "2.10.7-r0"
},
"4300690": {
"id": "4300690",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-28831",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "busybox",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.30.1-r5"
},
"4301319": {
"id": "4301319",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2020-28928",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "musl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.22-r4"
},
"4301417": {
"id": "4301417",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1547",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r0"
},
"4301418": {
"id": "4301418",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1549",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r0"
},
"4301419": {
"id": "4301419",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1563",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r0"
},
"4301420": {
"id": "4301420",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1551",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r2"
},
"4301421": {
"id": "4301421",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2020-1967",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1g-r0"
},
"4301422": {
"id": "4301422",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2020-1971",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1i-r0"
},
"4301423": {
"id": "4301423",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-23841",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1j-r0"
},
"4301424": {
"id": "4301424",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-23840",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1j-r0"
},
"4301425": {
"id": "4301425",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-23839",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23839",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1j-r0"
},
"4301426": {
"id": "4301426",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-3449",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1k-r0"
},
"4301427": {
"id": "4301427",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-3450",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1k-r0"
}
}, The following are results for the container assuming the vulnerabilities reported in alpine feeds are all |
/ # wget https://secdb.alpinelinux.org/v3.10/main.json
/ # for i in $(cat main.json | jq .packages[].pkg.name | xargs echo | sed 's/ /\n/g'); do cat /lib/apk/db/installed | grep o:$i$; done
o:apk-tools
o:busybox
o:busybox #P:ssl_client
o:jq
o:musl
o:musl #P:musl-utils
o:oniguruma
o:openssl #P:libcrypto1.1
o:openssl #P:libssl1.1
/ # for i in $(cat main.json | jq .packages[].pkg.name | xargs echo | sed 's/ /\n/g'); do cat /lib/apk/db/installed | grep P:$i$; done
P:apk-tools
P:busybox
P:jq
P:musl
P:oniguruma This is how the hit-rate would potentially change with a fresh alpine:3.10.2 (with |
@crozzy your assumptions are correct as usual, clair should match against the origin fields! |
Nice @crozzy, we were considering this as well - seems like the Alpine updater should store vulnerabilities as source packages, rather than binary as it currently does, and that would resolve this issue |
I think this is fixed with the linked PR. |
Description of Problem / Feature Request
I'm using a vulnerable version of Alpine (3.10.2) which uses a vulnerable version of
lybcrypto1.1
as a subpackage of the openssl package.Expected Outcome
I would expect the package
lybcrypto1.1
to be listed in the vulnerabilities andopenssl
to be listed in the packages.Actual Outcome
The
lybcrypto1.1
package appears as such in the report.However, there is no entry for
openssl
in the report.Taking a look at the database, it would seem that there is only vulnerability data on
binary
packages for Alpine.This query returned
0
results.When looking for the CVE `` for Alpine, there are results in the database, but the
package_kind
is `binary`.This did return results for
openssl
andopenssl3
however thepackage_kind
isbinary
.It would seem that it is a somewhat similar problem to what was found with Debian in this issue: #1270
Environment
uname -a
):kubectl version
): 1.20The text was updated successfully, but these errors were encountered: