Ansible 7.6.0 being picked up by Trivy for CVE-2020-25636 which is a 3rd party community component (long been fixed)

[mig5]

IDs

CVE-2020-25636

Description

I keep getting the following using a poetry.lock with Ansible 7.6.0 which came out only 5 days ago:

poetry.lock (poetry)
====================
Total: 1 (HIGH: 1)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ ansible │ CVE-2020-25636 │ HIGH     │ 7.6.0             │               │ Collections: aws_ssm connection plugin should namespace its │
│         │                │          │                   │               │ file transfers                                              │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-25636                  │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

The issue is not actually part of the core Ansible package - it's part of the 'community-aws' 3rd party plugin, and was fixed years ago. I don't even use this plugin in my ansible setup.

Reproduction Steps

Here is my poetry.lock which lives under the folder 'ansible':

I am running it like so:

trivy fs --severity HIGH ansible/ --debug

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

2023-05-28T23:28:45.214Z	DEBUG	Severities: ["HIGH"]
2023-05-28T23:28:45.218Z	DEBUG	cache dir:  /home/jenkins/.cache/trivy
2023-05-28T23:28:45.218Z	DEBUG	DB update was skipped because the local DB is the latest
2023-05-28T23:28:45.218Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-05-28 18:08:37.044193342 +0000 UTC, NextUpdate: 2023-05-29 00:08:37.044192842 +0000 UTC, DownloadedAt: 2023-05-28 23:25:09.486010933 +0000 UTC
2023-05-28T23:28:45.218Z	INFO	Vulnerability scanning is enabled
2023-05-28T23:28:45.218Z	DEBUG	Vulnerability type:  [os library]
2023-05-28T23:28:45.218Z	INFO	Secret scanning is enabled
2023-05-28T23:28:45.218Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-28T23:28:45.218Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-28T23:28:45.218Z	DEBUG	No secret config detected: trivy-secret.yaml
2023-05-28T23:28:45.218Z	DEBUG	Walk the file tree rooted at 'ansible' in parallel
2023-05-28T23:28:46.360Z	DEBUG	OS is not detected.
2023-05-28T23:28:46.360Z	DEBUG	Detected OS: unknown
2023-05-28T23:28:46.360Z	INFO	Number of language-specific files: 1
2023-05-28T23:28:46.360Z	INFO	Detecting poetry vulnerabilities...
2023-05-28T23:28:46.360Z	DEBUG	Detecting library vulnerabilities, type: poetry, path: poetry.lock
{
  "SchemaVersion": 2,
  "ArtifactName": "ansible",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "poetry.lock",
      "Class": "lang-pkgs",
      "Type": "poetry",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2020-25636",
          "PkgID": "[email protected]",
          "PkgName": "ansible",
          "InstalledVersion": "7.6.0",
          "Layer": {},
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-25636",
          "DataSource": {
            "ID": "osv",
            "Name": "Python Packaging Advisory Database",
            "URL": "https://github.com/pypa/advisory-db"
          },
          "Title": "Collections: aws_ssm connection plugin should namespace its file transfers",
          "Description": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-552"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
              "V2Score": 3.6,
              "V3Score": 7.1
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
              "V3Score": 6.6
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2020-25636",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636",
            "https://github.com/ansible-collections/community.aws/issues/221",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-25636",
            "https://www.cve.org/CVERecord?id=CVE-2020-25636"
          ],
          "PublishedDate": "2020-10-05T13:15:00Z",
          "LastModifiedDate": "2020-10-09T23:24:00Z"
        }
      ]
    }
  ]
}

Version

Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-28 06:06:55.527709412 +0000 UTC
  NextUpdate: 2023-05-28 12:06:55.527709112 +0000 UTC
  DownloadedAt: 2023-05-28 06:38:13.723059277 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

This advisory could be wrong. Please ask them.
https://github.com/pypa/advisory-database/blob/f194e2f88756c083a71800df9f985ffdc2107557/vulns/ansible/PYSEC-2020-221.yaml#L17-L19

Please let me close the discussion. If you still think this is a Trivy's bug, please feel free to reopen it.