Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update oras push syntax to fix issue with 0 length config #16

Merged
merged 1 commit into from
May 14, 2023
Merged

update oras push syntax to fix issue with 0 length config #16

merged 1 commit into from
May 14, 2023

Conversation

rdjones517
Copy link
Contributor

@rdjones517 rdjones517 commented May 4, 2023
edited
Loading

This pull request updates the syntax used to push the OCI artifact. Using /dev/null as the source for the config results in a zero (0) length blob, this causes an error when using oras copy to copy the artifact to another v2 API registry. Using the new --artifact-type parameter creates a config of the given type, containing an empty json object {}, and allows for the artifact to be copied successfully.

This change is necessary to allow the trivy java db OCI artifact to be copied to a registry hosted on an air-gapped network.

@knqyf263
Copy link
Collaborator

knqyf263 commented May 8, 2023

Thanks for your contribution! Did you confirm it worked with Trivy?

@rdjones517
Copy link
Contributor Author

rdjones517 commented May 8, 2023
edited
Loading

Yes, I have tested this with an install of Trivy on our air-gapped network, and it works with out any issues. This is a relatively small change and will have no negative impact to users.

@rdjones517 rdjones517 mentioned this pull request May 8, 2023
Merged
@rdjones517
Copy link
Contributor Author

This PR coincides with aquasecurity/trivy-db#305

@knqyf263
Copy link
Collaborator

Thanks for confirming. We also need to test it on our end.
@DmitriyLewen Can you please push the database to your fork and confirm it works with trivy --db-repository?

@rdjones517
Copy link
Contributor Author

Here are the successful database builds:

And here is a successful trivy scan using these builds:

/ # trivy --db-repository ghcr.io/rdjones517/trivy-db --java-db-repository ghcr.io/rdjones517/trivy-java-db image apache/nifi:1.21.0
2023-05-11T14:58:24.872Z	INFO	Need to update DB
2023-05-11T14:58:24.872Z	INFO	DB Repository: ghcr.io/rdjones517/trivy-db
2023-05-11T14:58:24.872Z	INFO	Downloading DB...
36.79 MiB / 36.79 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 30.06 MiB p/s 1.4s
2023-05-11T14:58:26.532Z	INFO	Vulnerability scanning is enabled
2023-05-11T14:58:26.532Z	INFO	Secret scanning is enabled
2023-05-11T14:58:26.532Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-11T14:58:26.532Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-11T14:58:32.417Z	INFO	JAR files found
2023-05-11T14:58:32.417Z	INFO	Java DB Repository: ghcr.io/rdjones517/trivy-java-db:1
2023-05-11T14:58:32.417Z	INFO	Downloading the Java DB...
426.96 MiB / 426.96 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 28.17 MiB p/s 15s
2023-05-11T14:58:48.312Z	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-05-11T14:58:48.313Z	INFO	Analyzing JAR files takes a while...
2023-05-11T14:58:52.916Z	INFO	Detected OS: ubuntu
2023-05-11T14:58:52.916Z	INFO	Detecting Ubuntu vulnerabilities...
2023-05-11T14:58:52.931Z	INFO	Number of language-specific files: 1
2023-05-11T14:58:52.931Z	INFO	Detecting jar vulnerabilities...

apache/nifi:1.21.0 (ubuntu 22.04)

Total: 40 (UNKNOWN: 0, LOW: 34, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬──────────────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │    Installed Version     │     Fixed Version      │                            Title                             │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ bash         │ CVE-2022-3715  │ LOW      │ 5.1-6ubuntu1             │                        │ a heap-buffer-overflow in valid_parameter_transform          │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-3715                    │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ coreutils    │ CVE-2016-2781  │          │ 8.32-4.1ubuntu1          │                        │ coreutils: Non-privileged session can escape to the parent   │
│              │                │          │                          │                        │ session in chroot                                            │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2016-2781                    │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ curl         │ CVE-2023-27535 │ MEDIUM   │ 7.81.0-1ubuntu1.8        │ 7.81.0-1ubuntu1.10     │ FTP too eager connection reuse                               │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27535                   │
│              ├────────────────┼──────────┤                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27533 │ LOW      │                          │                        │ curl: TELNET option IAC injection                            │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27533                   │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27534 │          │                          │                        │ curl: SFTP path ~ resolving discrepancy                      │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27534                   │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27536 │          │                          │                        │ GSS delegation too eager connection re-use                   │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27536                   │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27538 │          │                          │                        │ curl: SSH connection too eager reuse still                   │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27538                   │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ gpgv         │ CVE-2022-3219  │          │ 2.2.27-3ubuntu2.1        │                        │ gnupg: denial of service issue (resource consumption) using  │
│              │                │          │                          │                        │ compressed packets                                           │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-3219                    │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin     │ CVE-2016-20013 │          │ 2.35-0ubuntu3.1          │                        │ sha256crypt and sha512crypt through 0.6 allow attackers to   │
│              │                │          │                          │                        │ cause a denial of...                                         │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2016-20013                   │
├──────────────┤                │          │                          ├────────────────────────┤                                                              │
│ libc6        │                │          │                          │                        │                                                              │
│              │                │          │                          │                        │                                                              │
│              │                │          │                          │                        │                                                              │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl4     │ CVE-2023-27535 │ MEDIUM   │ 7.81.0-1ubuntu1.8        │ 7.81.0-1ubuntu1.10     │ FTP too eager connection reuse                               │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27535                   │
│              ├────────────────┼──────────┤                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27533 │ LOW      │                          │                        │ curl: TELNET option IAC injection                            │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27533                   │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27534 │          │                          │                        │ curl: SFTP path ~ resolving discrepancy                      │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27534                   │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27536 │          │                          │                        │ GSS delegation too eager connection re-use                   │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27536                   │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-27538 │          │                          │                        │ curl: SSH connection too eager reuse still                   │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-27538                   │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libfreetype6 │ CVE-2023-2004  │ MEDIUM   │ 2.11.1+dfsg-1ubuntu0.1   │ 2.11.1+dfsg-1ubuntu0.2 │ integer overflowin in tt_hvadvance_adjust() in               │
│              │                │          │                          │                        │ src/truetype/ttgxvar.c                                       │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-2004                    │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libncurses6  │ CVE-2022-29458 │ LOW      │ 6.3-2                    │                        │ ncurses: segfaulting OOB read                                │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┤                │          │                          ├────────────────────────┤                                                              │
│ libncursesw6 │                │          │                          │                        │                                                              │
│              │                │          │                          │                        │                                                              │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libpcre3     │ CVE-2017-11164 │          │ 2:8.39-13ubuntu0.22.04.1 │                        │ pcre: OP_KETRMAX feature in the match function in            │
│              │                │          │                          │                        │ pcre_exec.c                                                  │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2017-11164                   │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libpng16-16  │ CVE-2022-3857  │          │ 1.6.37-3build5           │                        │ libpng: Null pointer dereference leads to segmentation fault │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-3857                    │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3      │ CVE-2022-3996  │          │ 3.0.2-0ubuntu1.8         │ 3.0.2-0ubuntu1.9       │ openssl: double locking leads to denial of service           │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-3996                    │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │                          │                        │ Denial of service by excessive resource usage in verifying   │
│              │                │          │                          │                        │ X509 policy constraints...                                   │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-0464                    │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │                          │                        │ Invalid certificate policies in leaf certificates are        │
│              │                │          │                          │                        │ silently ignored                                             │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-0465                    │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0466  │          │                          │                        │ Certificate policy check not enabled                         │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-0466                    │
│              ├────────────────┤          │                          ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-1255  │          │                          │                        │ Input buffer over-read in AES-XTS implementation on 64 bit   │
│              │                │          │                          │                        │ ARM                                                          │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-1255                    │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libtinfo6    │ CVE-2022-29458 │          │ 6.3-2                    │                        │ ncurses: segfaulting OOB read                                │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2      │ CVE-2023-28484 │ MEDIUM   │ 2.9.13+dfsg-1ubuntu0.2   │ 2.9.13+dfsg-1ubuntu0.3 │ NULL dereference in xmlSchemaFixupComplexType                │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-28484                   │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-29469 │          │                          │                        │ Hashing of empty dict strings isn't deterministic            │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-29469                   │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libzstd1     │ CVE-2022-4899  │ LOW      │ 1.4.8+dfsg-3build1       │                        │ buffer overrun in util.c                                     │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-4899                    │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ locales      │ CVE-2016-20013 │          │ 2.35-0ubuntu3.1          │                        │ sha256crypt and sha512crypt through 0.6 allow attackers to   │
│              │                │          │                          │                        │ cause a denial of...                                         │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2016-20013                   │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ login        │ CVE-2023-29383 │          │ 1:4.8.1-2ubuntu2.1       │                        │ Improper input validation in shadow-utils package utility    │
│              │                │          │                          │                        │ chfn                                                         │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-29383                   │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-base │ CVE-2022-29458 │          │ 6.3-2                    │                        │ ncurses: segfaulting OOB read                                │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┤                │          │                          ├────────────────────────┤                                                              │
│ ncurses-bin  │                │          │                          │                        │                                                              │
│              │                │          │                          │                        │                                                              │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl      │ CVE-2022-3996  │          │ 3.0.2-0ubuntu1.8         │ 3.0.2-0ubuntu1.9       │ openssl: double locking leads to denial of service           │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2022-3996                    │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │                          │                        │ Denial of service by excessive resource usage in verifying   │
│              │                │          │                          │                        │ X509 policy constraints...                                   │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-0464                    │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │                          │                        │ Invalid certificate policies in leaf certificates are        │
│              │                │          │                          │                        │ silently ignored                                             │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-0465                    │
│              ├────────────────┤          │                          │                        ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0466  │          │                          │                        │ Certificate policy check not enabled                         │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-0466                    │
│              ├────────────────┤          │                          ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-1255  │          │                          │                        │ Input buffer over-read in AES-XTS implementation on 64 bit   │
│              │                │          │                          │                        │ ARM                                                          │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-1255                    │
├──────────────┼────────────────┤          ├──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ passwd       │ CVE-2023-29383 │          │ 1:4.8.1-2ubuntu2.1       │                        │ Improper input validation in shadow-utils package utility    │
│              │                │          │                          │                        │ chfn                                                         │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2023-29383                   │
├──────────────┼────────────────┼──────────┼──────────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ wget         │ CVE-2021-31879 │ MEDIUM   │ 1.21.2-2ubuntu1          │                        │ wget: authorization header disclosure on redirect            │
│              │                │          │                          │                        │ https://avd.aquasec.com/nvd/cve-2021-31879                   │
└──────────────┴────────────────┴──────────┴──────────────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
2023-05-11T14:58:53.047Z	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 3)

┌──────────────────────────────────────────────────────────┬──────────────────┬──────────┬───────────────────┬───────────────────────────────┬───────────────────────────────────────────────────────────┐
│                         Library                          │  Vulnerability   │ Severity │ Installed Version │         Fixed Version         │                           Title                           │
├──────────────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────────────────────┼───────────────────────────────────────────────────────────┤
│ com.h2database:h2 (h2-2.1.214.jar)                       │ CVE-2022-45868   │ HIGH     │ 2.1.214           │                               │ The web-based admin console in H2 Database Engine through │
│                                                          │                  │          │                   │                               │ 2.1.214 can ...                                           │
│                                                          │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2022-45868                │
├──────────────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────────────────────┼───────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-core        │ CVE-2023-20862   │ CRITICAL │ 5.8.2             │ 6.0.3, 5.8.3, 5.7.8           │ Spring Security logout not clearing security context      │
│ (spring-security-core-5.8.2.jar)                         │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2023-20862                │
├──────────────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────────────────────┼───────────────────────────────────────────────────────────┤
│ org.springframework:spring-core (spring-core-5.3.26.jar) │ CVE-2023-20863   │ HIGH     │ 5.3.26            │ 5.2.24.RELEASE, 5.3.27, 6.0.8 │ Spring Expression DoS Vulnerability                       │
│                                                          │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2023-20863                │
│                                                          │                  │          │                   │                               │                                                           │
│                                                          │                  │          │                   │                               │                                                           │
│                                                          │                  │          │                   │                               │                                                           │
├──────────────────────────────────────────────────────────┼──────────────────┼──────────┤                   ├───────────────────────────────┼───────────────────────────────────────────────────────────┤
│ org.springframework:spring-web (spring-web-5.3.26.jar)   │ CVE-2016-1000027 │ CRITICAL │                   │ 6.0.0                         │ spring: HttpInvokerServiceExporter readRemoteInvocation   │
│                                                          │                  │          │                   │                               │ method untrusted java deserialization                     │
│                                                          │                  │          │                   │                               │ https://avd.aquasec.com/nvd/cve-2016-1000027              │
│                                                          │                  │          │                   │                               │                                                           │
│                                                          │                  │          │                   │                               │                                                           │
│                                                          │                  │          │                   │                               │                                                           │
│                                                          │                  │          │                   │                               │                                                           │
└──────────────────────────────────────────────────────────┴──────────────────┴──────────┴───────────────────┴───────────────────────────────┴───────────────────────────────────────────────────────────┘

/opt/nifi/nifi-current/docs/html/toolkit-guide.html (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Asymmetric Private Key
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /opt/nifi/nifi-current/docs/html/toolkit-guide.html:2764 (added by 'RUN |9 MAINTAINER=Apache NiFi <dev@nifi.')
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
2762   
2763   .../certs $ more nifi-key.key
2764 [ -----BEGIN RSA PRIVATE KEY-----**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----
2765   .../certs $ openssl rsa -in nifi-key.key -text -noout
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

@DmitriyLewen DmitriyLewen mentioned this pull request May 12, 2023
Closed
@DmitriyLewen
Copy link
Collaborator

Hello @knqyf263
I tested trivy-java-db(#16) and trivy-db(aquasecurity/trivy-db#305) images:

➜  4336 trivy --db-repository ghcr.io/dmitriylewen/trivy-db --java-db-repository ghcr.io/dmitriylewen/trivy-java-db image test-with-jar
2023-05-12T13:09:54.045+0600	INFO	Need to update DB
2023-05-12T13:09:54.045+0600	INFO	DB Repository: ghcr.io/dmitriylewen/trivy-db
2023-05-12T13:09:54.045+0600	INFO	Downloading DB...
36.79 MiB / 36.79 MiB [----------------------------------------------------------------------------------------------------------------------------------] 100.00% 13.94 MiB p/s 2.8s
2023-05-12T13:09:59.000+0600	INFO	Vulnerability scanning is enabled
2023-05-12T13:09:59.000+0600	INFO	Secret scanning is enabled
2023-05-12T13:09:59.000+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-12T13:09:59.000+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-12T13:09:59.395+0600	INFO	JAR files found
2023-05-12T13:09:59.395+0600	INFO	Java DB Repository: ghcr.io/dmitriylewen/trivy-java-db:1
2023-05-12T13:09:59.395+0600	INFO	Downloading the Java DB...
427.14 MiB / 427.14 MiB [---------------------------------------------------------------------------------------------------------------------------------] 100.00% 11.55 MiB p/s 37s
2023-05-12T13:10:38.448+0600	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, the '--reset' flag clears the DB cache.
2023-05-12T13:10:38.448+0600	INFO	Analyzing JAR files takes a while...
2023-05-12T13:10:38.459+0600	INFO	Detected OS: alpine
2023-05-12T13:10:38.459+0600	INFO	Detecting Alpine vulnerabilities...
2023-05-12T13:10:38.460+0600	INFO	Number of language-specific files: 1
2023-05-12T13:10:38.460+0600	INFO	Detecting jar vulnerabilities...

test-with-jar (alpine 3.17.3)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-1255 │ MEDIUM   │ 3.0.8-r3          │ 3.0.8-r4      │ Input buffer over-read in AES-XTS implementation on 64 bit │
│            │               │          │                   │               │ ARM                                                        │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1255                  │
├────────────┤               │          │                   │               │                                                            │
│ libssl3    │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
2023-05-12T13:10:38.464+0600	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 4, CRITICAL: 2)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version  │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ log4j:log4j (log4j-1.2.17.jar) │ CVE-2019-17571 │ CRITICAL │ 1.2.17            │ 2.0-alpha1     │ log4j: deserialization of untrusted data in SocketServer     │
│                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2019-17571                   │
│                                ├────────────────┤          │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-23305 │          │                   │                │ log4j: SQL injection in Log4j 1.x when application is        │
│                                │                │          │                   │                │ configured to use...                                         │
│                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-23305                   │
│                                ├────────────────┼──────────┤                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2021-4104  │ HIGH     │                   │                │ log4j: Remote code execution in Log4j 1.x when application   │
│                                │                │          │                   │                │ is configured to...                                          │
│                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2021-4104                    │
│                                ├────────────────┤          │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-23302 │          │                   │                │ log4j: Remote code execution in Log4j 1.x when application   │
│                                │                │          │                   │                │ is configured to...                                          │
│                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-23302                   │
│                                ├────────────────┤          │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2022-23307 │          │                   │                │ log4j: Unsafe deserialization flaw in Chainsaw log viewer    │
│                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-23307                   │
│                                ├────────────────┤          │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2023-26464 │          │                   │ 2.0            │ DoS via hashmap logging                                      │
│                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2023-26464                   │
│                                ├────────────────┼──────────┤                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                │ CVE-2020-9488  │ LOW      │                   │ 2.12.3, 2.13.2 │ log4j: improper validation of certificate with host mismatch │
│                                │                │          │                   │                │ in SMTP appender                                             │
│                                │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-9488                    │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Trivy works correctly with these changes.

DmitriyLewen
DmitriyLewen approved these changes May 12, 2023
View reviewed changes
Copy link
Collaborator

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work @rdjones517

knqyf263
knqyf263 approved these changes May 14, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you guys!

@knqyf263 knqyf263 merged commit fb1b70d into aquasecurity:main May 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rdjones517 @knqyf263 @DmitriyLewen