Trivy .jar image scan does not find some CVEs compared to OWASP Depedency check tool #5140
Replies: 1 comment 6 replies
-
|
We need to see an image to replicate the issue. Otherwise, it is hard to say what's wrong. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. It is not necessarily the same image. We just want to reproduce the problem. |
Beta Was this translation helpful? Give feedback.
-
|
I have prepared repo https://github.com/bedla/trivy-scan-reproduce-service to reproduce scan results. Just run Let me know, if you will have some questions. |
Beta Was this translation helpful? Give feedback.
-
|
Hello @knqyf263 The issue is well reproducible, eg scanning the attached
Derived from the gradle.lockfile other resources however also have vulnerabilities which are not output for whatever reason My customer so far is using a different vulnerability scanner (OWASP) which outputs the other findings as expected |
Beta Was this translation helpful? Give feedback.
-
|
Looks like this is mistake in your scanner. |
Beta Was this translation helpful? Give feedback.
-
|
yes indeed - thanks @DmitriyLewen !! Obviously the OWASP scanner for whatever reason interprets the CPE of CVE-2023-37475 as |
Beta Was this translation helpful? Give feedback.
-
IDs
CVE-2023-34462, CVE-2022-1471, CVE-2023-35116, CVE-2023-4586, CVE-2022-1471
Description
Hi,
I am running scan on same application with Trivy and with OWASP Dependency check CLI tool https://owasp.org/www-project-dependency-check/ and getting different results.
I assume that both tools use same input DBs.
Do you think that this is about different DBs used, or Trivy does not see some .jar files?
Thx
Ivos
Trivy:
CVE-2023-34462
CVE-2022-1471
OWASP checker:
CVE-2023-34462
CVE-2022-1471
CVE-2023-35116 *
CVE-2023-4586 *
CVE-2022-1471 *
report can be downloaded here: https://drive.google.com/file/d/1_WQlLUXMkpwCTUJ3CnmF7JHiR5glpDpI/view?usp=sharing
Reproduction Steps
1. Run `docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy --debug image -f json harbor.oci.xxx-lab.tech/xxx-qr-service/xxx-qr-service:1.5.0`Target
Container Image
Scanner
Vulnerability
Target OS
Docker Windows
Debug Output
{ "SchemaVersion": 2, "ArtifactName": "harbor.oci.xxx-lab.tech/xxx-qr-service/xxx-qr-service:1.5.0", "ArtifactType": "container_image", "Metadata": { "OS": { "Family": "alpine", "Name": "3.18.3" }, "ImageID": "sha256:e294506edc460d74c0021fbab1fd42711bd52efea93561840c719ed1e31d050e", "DiffIDs": [ "sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230", "sha256:1061c27d7cdf5af544ae24b937a7ddf5452a1eca7e673f4a30d091b3781aa42d", "sha256:9e4b1e98376e897831a6117623eb0f3e63bb00b8053c8f28013967bc26dcd170", "sha256:c246333c2aab0ba9eabffecfa634426209f6d55aa98c0f45c546faf12b153223", "sha256:2894bd59aebe0b546806af60249dffb98c788215af4850cb7b5ecd7e134c3d55", "sha256:5ff7d46cf3fff3b73f140d927291b5042854e56412ec3db69b23718528ccd33f", "sha256:82aaeb863af1e19a6d58625497b85a65def0e21a43cd99b0ff3cd72a5eff577f", "sha256:38e69fd9daa06cdb2ee3c8db8a33b8c18044d4b23c7dcafea2a7c84aef2dbd0d", "sha256:3de329fea821c56ae4d7799b42044d42d1cb190e55a1cc6ca3beff7152b268ab", "sha256:6cc14ccb0196e73d22650b724c331b18257207feee9736c51092a6aece654d34", "sha256:b57e87e5d585ccc758913985e3af1a2c8a2508c772693272c492a08753c2fcce" ], "RepoTags": [ "harbor.oci.xxx-lab.tech/xxx-qr-service/xxx-qr-service:1.5.0" ], "RepoDigests": [ "harbor.oci.xxx-lab.tech/xxx-qr-service/xxx-qr-service@sha256:6d22570d180a42d3e757e4d09e8ecb1174832095833573beed6ef250907b9027" ], "ImageConfig": { "architecture": "amd64", "container": "3a405cc655285cab1a548a4d97e780cc0794e745664dddcdde11d15d7e019cf3", "created": "2023-09-07T07:17:45.998172911Z", "docker_version": "20.10.23", "history": [ { "created": "2023-08-07T19:20:20.71894984Z", "created_by": "/bin/sh -c #(nop) ADD file:32ff5e7a78b890996ee4681cc0a26185d3e9acdb4eb1e2aaccb2411f922fed6b in / " }, { "created": "2023-08-07T19:20:20.894140623Z", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", "empty_layer": true }, { "created": "2023-08-08T19:19:44.349905295Z", "created_by": "/bin/sh -c #(nop) ENV JAVA_HOME=/opt/java/openjdk", "empty_layer": true }, { "created": "2023-08-08T19:19:44.434729863Z", "created_by": "/bin/sh -c #(nop) ENV PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "empty_layer": true }, { "created": "2023-08-08T19:19:44.517192634Z", "created_by": "/bin/sh -c #(nop) ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8", "empty_layer": true }, { "created": "2023-08-14T18:09:08.701385666Z", "created_by": "/bin/sh -c apk add --no-cache fontconfig java-cacerts bash libretls musl-locales musl-locales-lang ttf-dejavu tzdata zlib \u0026\u0026 rm -rf /var/cache/apk/*" }, { "created": "2023-08-31T20:21:36.066723852Z", "created_by": "/bin/sh -c #(nop) ENV JAVA_VERSION=jdk-11.0.20.1+1", "empty_layer": true }, { "created": "2023-08-31T20:21:46.245439751Z", "created_by": "/bin/sh -c set -eux; ARCH=\"$(apk --print-arch)\"; case \"${ARCH}\" in amd64|x86_64) ESUM='1a94e642bf6cc4124d4f01f43184f9127ef994cbd324e2ee42cc50f715cbaedf'; BINARY_URL='https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.20.1%2B1/OpenJDK11U-jdk_x64_alpine-linux_hotspot_11.0.20.1_1.tar.gz'; ;; *) echo \"Unsupported arch: ${ARCH}\"; exit 1; ;; esac; \t wget -O /tmp/openjdk.tar.gz ${BINARY_URL}; \t echo \"${ESUM} */tmp/openjdk.tar.gz\" | sha256sum -c -; \t mkdir -p \"$JAVA_HOME\"; \t tar --extract \t --file /tmp/openjdk.tar.gz \t --directory \"$JAVA_HOME\" \t --strip-components 1 \t --no-same-owner \t ; rm -f /tmp/openjdk.tar.gz ${JAVA_HOME}/lib/src.zip;" }, { "created": "2023-08-31T20:21:48.72600223Z", "created_by": "/bin/sh -c echo Verifying install ... \u0026\u0026 fileEncoding=\"$(echo 'System.out.println(System.getProperty(\"file.encoding\"))' | jshell -s -)\"; [ \"$fileEncoding\" = 'UTF-8' ]; rm -rf ~/.java \u0026\u0026 echo javac --version \u0026\u0026 javac --version \u0026\u0026 echo java --version \u0026\u0026 java --version \u0026\u0026 echo Complete." }, { "created": "2023-08-31T20:21:48.818117311Z", "created_by": "/bin/sh -c #(nop) COPY file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh " }, { "created": "2023-08-31T20:21:48.898515748Z", "created_by": "/bin/sh -c #(nop) ENTRYPOINT [\"/__cacert_entrypoint.sh\"]", "empty_layer": true }, { "created": "2023-08-31T20:21:48.981342004Z", "created_by": "/bin/sh -c #(nop) CMD [\"jshell\"]", "empty_layer": true }, { "author": "kaniko", "created": "0001-01-01T00:00:00Z", "created_by": "WORKDIR /home/app" }, { "author": "kaniko", "created": "0001-01-01T00:00:00Z", "created_by": "RUN addgroup -S bruseri \u0026\u0026 adduser -S bruser -G bruseri" }, { "author": "kaniko", "created": "0001-01-01T00:00:00Z", "created_by": "COPY service/build/docker/main/layers/libs /home/app/libs" }, { "author": "kaniko", "created": "0001-01-01T00:00:00Z", "created_by": "COPY service/build/docker/main/layers/resources /home/app/resources" }, { "author": "kaniko", "created": "0001-01-01T00:00:00Z", "created_by": "COPY service/build/docker/main/layers/application.jar /home/app/application.jar" }, { "author": "kaniko", "created": "0001-01-01T00:00:00Z", "created_by": "COPY entrypoint.sh /" } ], "os": "linux", "rootfs": { "type": "layers", "diff_ids": [ "sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230", "sha256:1061c27d7cdf5af544ae24b937a7ddf5452a1eca7e673f4a30d091b3781aa42d", "sha256:9e4b1e98376e897831a6117623eb0f3e63bb00b8053c8f28013967bc26dcd170", "sha256:c246333c2aab0ba9eabffecfa634426209f6d55aa98c0f45c546faf12b153223", "sha256:2894bd59aebe0b546806af60249dffb98c788215af4850cb7b5ecd7e134c3d55", "sha256:5ff7d46cf3fff3b73f140d927291b5042854e56412ec3db69b23718528ccd33f", "sha256:82aaeb863af1e19a6d58625497b85a65def0e21a43cd99b0ff3cd72a5eff577f", "sha256:38e69fd9daa06cdb2ee3c8db8a33b8c18044d4b23c7dcafea2a7c84aef2dbd0d", "sha256:3de329fea821c56ae4d7799b42044d42d1cb190e55a1cc6ca3beff7152b268ab", "sha256:6cc14ccb0196e73d22650b724c331b18257207feee9736c51092a6aece654d34", "sha256:b57e87e5d585ccc758913985e3af1a2c8a2508c772693272c492a08753c2fcce" ] }, "config": { "Cmd": [ "application" ], "Entrypoint": [ "/entrypoint.sh" ], "Env": [ "PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "JAVA_HOME=/opt/java/openjdk", "LANG=en_US.UTF-8", "LANGUAGE=en_US:en", "LC_ALL=en_US.UTF-8", "JAVA_VERSION=jdk-11.0.20.1+1", "version=1.5.0" ], "Image": "sha256:916db1b2fe53db0f5e466213e298e75ab059a9268c6b8ad85447ba95d8ec4468", "User": "bruser", "WorkingDir": "/home/app", "ExposedPorts": { "8080/tcp": {} } } } }, "Results": [ { "Target": "harbor.oci.xxx-lab.tech/xxx-qr-service/xxx-qr-service:1.5.0 (alpine 3.18.3)", "Class": "os-pkgs", "Type": "alpine" }, { "Target": "Java", "Class": "lang-pkgs", "Type": "jar", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2023-34462", "PkgName": "io.netty:netty-handler", "PkgPath": "home/app/libs/netty-handler-4.1.87.Final.jar", "InstalledVersion": "4.1.87.Final", "FixedVersion": "4.1.94.Final", "Status": "fixed", "Layer": { "DiffID": "sha256:38e69fd9daa06cdb2ee3c8db8a33b8c18044d4b23c7dcafea2a7c84aef2dbd0d" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-34462", "DataSource": { "ID": "glad", "Name": "GitLab Advisory Database Community", "URL": "https://gitlab.com/gitlab-org/advisories-community" }, "Title": "SniHandler 16MB allocation leads to OOM", "Description": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 6.5 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 6.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2023-34462", "https://github.com/netty/netty", "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32", "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845", "https://nvd.nist.gov/vuln/detail/CVE-2023-34462", "https://security.netapp.com/advisory/ntap-20230803-0001/", "https://www.cve.org/CVERecord?id=CVE-2023-34462" ], "PublishedDate": "2023-06-22T23:15:00Z", "LastModifiedDate": "2023-08-03T15:15:00Z" }, { "VulnerabilityID": "CVE-2022-1471", "PkgName": "org.yaml:snakeyaml", "PkgPath": "home/app/libs/snakeyaml-1.33.jar", "InstalledVersion": "1.33", "FixedVersion": "2.0", "Status": "fixed", "Layer": { "DiffID": "sha256:38e69fd9daa06cdb2ee3c8db8a33b8c18044d4b23c7dcafea2a7c84aef2dbd0d" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-1471", "DataSource": { "ID": "glad", "Name": "GitLab Advisory Database Community", "URL": "https://gitlab.com/gitlab-org/advisories-community" }, "Title": "Constructor Deserialization Remote Code Execution", "Description": "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n", "Severity": "CRITICAL", "CweIDs": [ "CWE-502" ], "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "V3Score": 8.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 9.8 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 9.8 } }, "References": [ "https://access.redhat.com/errata/RHSA-2022:9058", "https://access.redhat.com/security/cve/CVE-2022-1471", "https://bitbucket.org/snakeyaml/snakeyaml", "https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758", "https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4", "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479", "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374", "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314", "https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471", "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes", "https://bugzilla.redhat.com/2150009", "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471", "https://errata.almalinux.org/8/ALSA-2022-9058.html", "https://errata.rockylinux.org/RLSA-2022:9058", "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", "https://github.com/mbechler/marshalsec", "https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc", "https://linux.oracle.com/cve/CVE-2022-1471.html", "https://linux.oracle.com/errata/ELSA-2022-9058-1.html", "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", "https://security.netapp.com/advisory/ntap-20230818-0015/", "https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/", "https://www.cve.org/CVERecord?id=CVE-2022-1471", "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true" ], "PublishedDate": "2022-12-01T11:15:00Z", "LastModifiedDate": "2023-08-18T14:15:00Z" } ] } ] }Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions