.net False Positive on transitive dependency

[pumpenschnabel]

IDs

CVE-2019-0820

Description

My project has a transitive dependency to System.Text.RegularExpressions (4.3.0) which is inherited from the Nuget https://www.nuget.org/packages/Elastic.Apm.NetCoreAll/1.22.0 (multiple sub packages involved).

If I try do understand the signs correctly, this transitive package is resolved from the installed runtime Microsoft.NETCore.App/7.0.10. (refer below)

But it seems that trivy does not honor the ../Microsoft.NETCore.App.deps.json dependencies and still reports a problem of a "virtual" package which is not part of the scanned image.

Notice: I changed my project name with XXXXXXXXX:

/app # find / -name '*.deps.json'
/usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.10/Microsoft.NETCore.App.deps.json
/usr/share/dotnet/shared/Microsoft.AspNetCore.App/7.0.10/Microsoft.AspNetCore.App.deps.json
/app/XXXXXXXXX.App.deps.json
/app # dotnet --list-sdks
/app # dotnet --list-runtimes
Microsoft.AspNetCore.App 7.0.10 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 7.0.10 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
/app # grep -A 5 -i regular /usr/share/dotnet/shared/Microsoft.AspNetCore.App/7.0.10/Microsoft.AspNetCore.App.deps.json
/app # grep -A 5 -i regular /usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.10/Microsoft.NETCore.App.deps.json
          "System.Text.RegularExpressions.dll": {
            "assemblyVersion": "7.0.0.0",
            "fileVersion": "7.0.1023.36312"
          },
          "System.Threading.Channels.dll": {
            "assemblyVersion": "7.0.0.0",
/app # grep -A 5 -i regular /app/XXXXXXXXX.App.deps.json
          "System.Text.RegularExpressions": "4.3.0",
          "System.Threading": "4.3.0",
          "System.Threading.Tasks": "4.3.0",
          "System.Threading.Timer": "4.3.0",
          "System.Xml.ReaderWriter": "4.3.0",
          "System.Xml.XDocument": "4.3.0"
--
      "System.Text.RegularExpressions/4.3.0": {
        "dependencies": {
          "System.Runtime": "4.3.0"
        }
      },
      "System.Threading/4.3.0": {
--
          "System.Text.RegularExpressions": "4.3.0",
          "System.Threading.Tasks": "4.3.0",
          "System.Threading.Tasks.Extensions": "4.5.4"
        }
      },
      "System.Xml.XDocument/4.3.0": {
--
    "System.Text.RegularExpressions/4.3.0": {
      "type": "package",
      "serviceable": true,
      "sha512": "sha512-RpT2DA+L660cBt1FssIE9CAGpLFdFPuheB7pLpKpn6ZXNby7jDERe8Ua/Ne2xGiwLVG2JOqziiaVCGDon5sKFA==",
      "path": "system.text.regularexpressions/4.3.0",
      "hashPath": "system.text.regularexpressions.4.3.0.nupkg.sha512"
    },
    "System.Threading/4.3.0": {
      "type": "package",
      "serviceable": true,
      "sha512": "sha512-VkUS0kOBcUf3Wwm0TSbrevDDZ6BlM+b/HRiapRFWjM5O0NS0LviG0glKmFK+hhPDd1XFeSdU1GmlLhb2CoVpIw==",
/app # find / -name "*RegularExpressions*"
/usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.10/System.Text.RegularExpressions.dll

Reproduction Steps

Didn't reduce the project to minimal steps needed. But I guess the issue is reproducible when using the described nugget in any .net7 project.

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu 22.04.1

Debug Output

2023-08-28T17:15:48.938+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-28T17:15:48.945+0200	DEBUG	cache dir:  /home/ph/.cache/trivy
2023-08-28T17:15:48.945+0200	INFO	Need to update DB
2023-08-28T17:15:48.945+0200	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-08-28T17:15:48.945+0200	INFO	Downloading DB...
39.58 MiB / 39.58 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 14.99 MiB p/s 2.8s
2023-08-28T17:15:52.589+0200	DEBUG	Updating database metadata...
2023-08-28T17:15:52.589+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-08-28 06:09:31.478888986 +0000 UTC, NextUpdate: 2023-08-28 12:09:31.478888586 +0000 UTC, DownloadedAt: 2023-08-28 15:15:52.589723545 +0000 UTC
2023-08-28T17:15:52.590+0200	INFO	Vulnerability scanning is enabled
2023-08-28T17:15:52.590+0200	DEBUG	Vulnerability type:  [os library]
2023-08-28T17:15:52.590+0200	INFO	Secret scanning is enabled
2023-08-28T17:15:52.590+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-28T17:15:52.590+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-08-28T17:15:52.592+0200	DEBUG	No secret config detected: trivy-secret.yaml
2023-08-28T17:15:52.592+0200	DEBUG	Image ID: sha256:3d85deb81e1825dd33455afceac561d5b3b8803c2966277ba089708dcf275b01
2023-08-28T17:15:52.592+0200	DEBUG	Diff IDs: [sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230 sha256:ec0e9c73c1654ac9abb90c5d9f7bf8570947e889adc9fe6cf1dce6115b1908b8 sha256:c7a4596c3ec7605d9c1a841ff4f0ab3b599cca6d7bc04347e2e6037448cd0ec2 sha256:9045950a4b7f0a8e6d6d434e9e1afb831f8a654d39b8c704882e52f70e6b9211 sha256:635ddc426177f446bddc2af43bb2f90a1aa8217f8be66eb7f8e3a5801241f885 sha256:a448a1c01d2fe6590e258af07ae5cf921b1e38c2dadf1ec54527a105f6c6b606 sha256:556e2f3e76cc7ceb4de5cf020aac59f1762a742814baa3642c927b3090a94082]
2023-08-28T17:15:52.592+0200	DEBUG	Base Layers: [sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230]
2023-08-28T17:15:52.597+0200	DEBUG	Missing image ID in cache: sha256:3d85deb81e1825dd33455afceac561d5b3b8803c2966277ba089708dcf275b01
2023-08-28T17:15:52.597+0200	DEBUG	Missing diff ID in cache: sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230
2023-08-28T17:15:52.597+0200	DEBUG	Missing diff ID in cache: sha256:ec0e9c73c1654ac9abb90c5d9f7bf8570947e889adc9fe6cf1dce6115b1908b8
2023-08-28T17:15:52.597+0200	DEBUG	Missing diff ID in cache: sha256:635ddc426177f446bddc2af43bb2f90a1aa8217f8be66eb7f8e3a5801241f885
2023-08-28T17:15:52.597+0200	DEBUG	Missing diff ID in cache: sha256:c7a4596c3ec7605d9c1a841ff4f0ab3b599cca6d7bc04347e2e6037448cd0ec2
2023-08-28T17:15:52.597+0200	DEBUG	Missing diff ID in cache: sha256:9045950a4b7f0a8e6d6d434e9e1afb831f8a654d39b8c704882e52f70e6b9211
2023-08-28T17:15:53.989+0200	DEBUG	Skipping directory: dev
2023-08-28T17:15:54.015+0200	DEBUG	Missing diff ID in cache: sha256:a448a1c01d2fe6590e258af07ae5cf921b1e38c2dadf1ec54527a105f6c6b606
2023-08-28T17:15:54.029+0200	DEBUG	Missing diff ID in cache: sha256:556e2f3e76cc7ceb4de5cf020aac59f1762a742814baa3642c927b3090a94082
2023-08-28T17:15:54.124+0200	DEBUG	Skipping directory: proc
2023-08-28T17:15:54.125+0200	DEBUG	Skipping directory: sys
2023-08-28T17:15:54.472+0200	DEBUG	No secrets found in container image config
2023-08-28T17:15:54.474+0200	INFO	Detected OS: alpine
2023-08-28T17:15:54.474+0200	INFO	Detecting Alpine vulnerabilities...
2023-08-28T17:15:54.474+0200	DEBUG	alpine: os version: 3.18
2023-08-28T17:15:54.474+0200	DEBUG	alpine: package repository: 3.18
2023-08-28T17:15:54.474+0200	DEBUG	alpine: the number of packages: 25
2023-08-28T17:15:54.479+0200	INFO	Number of language-specific files: 3
2023-08-28T17:15:54.479+0200	INFO	Detecting dotnet-core vulnerabilities...
2023-08-28T17:15:54.479+0200	DEBUG	Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.10/Microsoft.NETCore.App.deps.json
2023-08-28T17:15:54.480+0200	DEBUG	Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.AspNetCore.App/7.0.10/Microsoft.AspNetCore.App.deps.json
2023-08-28T17:15:54.481+0200	DEBUG	Detecting library vulnerabilities, type: dotnet-core, path: app/XXXXXXXXX.App.deps.json

docker.XXXXXXXX/XXXX/XXXXXXX:X.XX-rc4 (alpine 3.18.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


app/XXXXXXXXX.App.deps.json (dotnet-core)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ HIGH     │ 4.3.0             │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Version

trivy --version
Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-08-28 06:09:31.478888986 +0000 UTC
  NextUpdate: 2023-08-28 12:09:31.478888586 +0000 UTC
  DownloadedAt: 2023-08-28 15:15:52.589723545 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[CassandraWin]

Hello @pumpenschnabel ,
I have exactly the same issue for my .NET project. Did you have any progress on this?

Thanks for your help.

[pumpenschnabel]

Hi @CassandraWin,
unfortunately I didn't had progress on this. TBH, I didn't follow up this case at all.

[DmitriyLewen]

duplicate of #4282