Trivy only reports Alpine fixed vulnerabilities

[F-exf]

Description

Trivy uses the official Alpine Linux secdb to report on vulnerabilities affecting Alpine Linux. In the first paragraph of the Alpine Linux Security Issue Tracker page its mentioned that the secdb database only includes the Alpine fixes. The complete list of vulnerabilities being provided by Alpine Linux Security Issue Tracker.

Therefore, Trivy only reports fixed Alpine vulnerabilities.

Desired Behavior

Report "all vulnerabilities affecting" Alpine Linux components and not only the fixed one of the secdb.

As Alpine Linux Security Issue Tracker contains vulnerabilities which could potentially affect components reporting all those vulnerabilities would lead to many false positive. Example of such false positive is the CVE-2023-28118 on the snappy package. The CVE-2023-28118 affect the knplabs/snappy php component and not the google snappy which is provided by Alpine.

That being said, Trivy should at least report vulnerabilities for which there is a fix in other version of Alpine Linux (see the reproduction steps) and vulnerabilities for which there is no fix like CVE-2018-14628 affecting Samba.

Actual Behavior

Only vulnerabilities listed in the Alpine Linux fixed vulnerabilities database of in Alpine Linux secdb are reported by Trivy.

Reproduction Steps

As reported here, the cups component with versions below 2.4.7 is not fixed in Alpine 3.17 but is fixed in Alpine 3.18.

Search the CVE-2023-4504 in the Apline 3.18 secdb and in the Apline 3.17 secdb confirm the vulnerability have been fixed in 3.18 and not in 3.17.

One can create an image based on Alpine 3.17 with cups version 2.4.2-r3 and scan using Trivy as follows:

1. Create the following Dockerfile named Dockerfile.cups_3.17

   FROM alpine:3.17
   
   RUN apk update
   RUN apk add cups==2.4.2-r3

2. Build the Dockerfile

   docker build --tag LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.17 -f Dockerfile.cups_3.17 .

3. Push the image to a registry running locally

   docker push LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.17

4. Scan the image using Trivy latest version and database and acknowledge that there is no vulnerability reported.

   docker run --entrypoint trivy aquasec/trivy image --insecure --format table --scanners vuln --vuln-type os --debug --no-progress LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.17
   
   LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.17 (alpine 3.17.5)
   ===========================================
   Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Then one can create an image based on Alpine 3.18 with cups version 2.4.2-r3 and scan using Trivy as follows:

1. Create the following Dockerfile named Dockerfile.cups_3.18

   FROM alpine:3.18
   
   RUN echo "http://dl-cdn.alpinelinux.org/alpine/v3.17/main" >> /etc/apk/repositories
   RUN apk update
   RUN apk add cups==2.4.2-r3

2. Build the Dockerfile

   docker build --tag LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.18 -f Dockerfile.cups_3.18 .

3. Push the image to a registry running locally

   docker push LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.18

4. Scan the image using Trivy latest version and database and acknowledge that cups vulnerabilities are reported.

   docker run --entrypoint trivy aquasec/trivy image --insecure --format table --scanners vuln --vuln-type os --debug --no-progress LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.18
   
   LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.18 (alpine 3.18.3)
   ===========================================
   Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
   
   ─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
   │   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
   ├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
   │ cups        │ CVE-2023-4504  │ HIGH     │ fixed  │ 2.4.2-r3          │ 2.4.7-r0      │ Postscript Parsing Heap Overflow           │
   │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4504  │
   │             ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────┤
   │             │ CVE-2023-32324 │ MEDIUM   │        │                   │ 2.4.2-r7      │ heap buffer overflow may lead to DoS       │
   │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32324 │
   ├─────────────┼────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────┤
   │ cups-client │ CVE-2023-4504  │ HIGH     │        │                   │ 2.4.7-r0      │ Postscript Parsing Heap Overflow           │
   │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4504  │
   │             ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────┤
   │             │ CVE-2023-32324 │ MEDIUM   │        │                   │ 2.4.2-r7      │ heap buffer overflow may lead to DoS       │
   │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32324 │
   └─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

### Target

None

### Scanner

Vulnerability

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
docker run --entrypoint trivy aquasec/trivy image --insecure --format table --scanners vuln --vuln-type os --debug --no-progress LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.18
2023-09-28T20:12:47.962Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-28T20:12:47.962Z        DEBUG   Ignore statuses {"statuses": null}
2023-09-28T20:12:47.974Z        DEBUG   cache dir:  /root/.cache/trivy
2023-09-28T20:12:47.975Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2023-09-28T20:12:47.975Z        INFO    Need to update DB
2023-09-28T20:12:47.975Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-09-28T20:12:47.975Z        INFO    Downloading DB...
2023-09-28T20:12:47.975Z        DEBUG   no metadata file
2023-09-28T20:13:20.013Z        DEBUG   Updating database metadata...
2023-09-28T20:13:20.013Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-09-28 18:15:38.619230819 +0000 UTC, NextUpdate: 2023-09-29 00:15:38.619229919 +0000 UTC, DownloadedAt: 2023-09-28 20:13:20.0134307 +0000 UTC
2023-09-28T20:13:20.013Z        INFO    Vulnerability scanning is enabled
2023-09-28T20:13:20.013Z        DEBUG   Vulnerability type:  [os]
2023-09-28T20:13:20.021Z        DEBUG   Image ID: sha256:4a4de80f9268043730371f74dcb4b21dc0a96b1afe25df445685baeb9f95cf3a
2023-09-28T20:13:20.021Z        DEBUG   Diff IDs: [sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230 sha256:a8adbd4f95594549d534a6593ee9bf26cdfc434278d81ae70e2b9cff090ed4db sha256:a0c04e62226548eb30f56eff32a212f767ed9c45c806280ba19818c209ee2830 sha256:a968e87289b8c9f2cb2882a3ed4d5058c9f559c7dad838ea8f9da28af99bbf51]
2023-09-28T20:13:20.021Z        DEBUG   Base Layers: [sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230]
2023-09-28T20:13:20.021Z        DEBUG   Missing image ID in cache: sha256:4a4de80f9268043730371f74dcb4b21dc0a96b1afe25df445685baeb9f95cf3a
2023-09-28T20:13:20.021Z        DEBUG   Missing diff ID in cache: sha256:a0c04e62226548eb30f56eff32a212f767ed9c45c806280ba19818c209ee2830
2023-09-28T20:13:20.021Z        DEBUG   Missing diff ID in cache: sha256:a8adbd4f95594549d534a6593ee9bf26cdfc434278d81ae70e2b9cff090ed4db
2023-09-28T20:13:20.021Z        DEBUG   Missing diff ID in cache: sha256:a968e87289b8c9f2cb2882a3ed4d5058c9f559c7dad838ea8f9da28af99bbf51
2023-09-28T20:13:20.021Z        DEBUG   Missing diff ID in cache: sha256:4693057ce2364720d39e57e85a5b8e0bd9ac3573716237736d6470ec5b7b7230
2023-09-28T20:13:20.046Z        DEBUG   Skipping directory: dev
2023-09-28T20:13:20.114Z        DEBUG   Skipping directory: proc
2023-09-28T20:13:20.114Z        DEBUG   Skipping directory: sys
2023-09-28T20:13:20.356Z        DEBUG   No secrets found in container image config
2023-09-28T20:13:20.358Z        INFO    Detected OS: alpine
2023-09-28T20:13:20.358Z        INFO    Detecting Alpine vulnerabilities...
2023-09-28T20:13:20.358Z        DEBUG   alpine: os version: 3.18
2023-09-28T20:13:20.358Z        DEBUG   alpine: package repository: 3.18
2023-09-28T20:13:20.358Z        DEBUG   alpine: the number of packages: 60

LOCAL_REGISTRY_IP:LOCAL_REGISTRY_PORT/cups:3.18 (alpine 3.18.3)
===========================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ cups        │ CVE-2023-4504  │ HIGH     │ fixed  │ 2.4.2-r3          │ 2.4.7-r0      │ Postscript Parsing Heap Overflow           │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4504  │
│             ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────┤
│             │ CVE-2023-32324 │ MEDIUM   │        │                   │ 2.4.2-r7      │ heap buffer overflow may lead to DoS       │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32324 │
├─────────────┼────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────┤
│ cups-client │ CVE-2023-4504  │ HIGH     │        │                   │ 2.4.7-r0      │ Postscript Parsing Heap Overflow           │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-4504  │
│             ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────┤
│             │ CVE-2023-32324 │ MEDIUM   │        │                   │ 2.4.2-r7      │ heap buffer overflow may lead to DoS       │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32324 │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

Operating System

WSL

Version

docker run --entrypoint trivy aquasec/trivy --version
Version: 0.45.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @F-exf
Thanks for your report!

We currently have statuses for advisories.
Perhaps we can add advisories from Security Issue Tracker as under_investigation.
Security Issue Tracker also supports json format - Any URI on this tracker may be fetched with Accept: application/ld+json to get an equivalent JSON-LD document.

@knqyf263 wdyt?

[knqyf263]

Trivy currently doesn't show under_investigation vulnerabilities because they are not confirmed yet. I don't think we should show them by default. It might be ok when passing --status under_investigation, but it means we also need to support Red Hat, etc. I'm concerned our database size will get bigger.

[F-exf]

As mentioned in the expected behavior there is at least one case which should be reported without impacting the size of the database. This is if a CVE is fixed in another OS release. It is "standard" for maintainer (i.e.: Red Hat Maintenance Support 1 Phase, ) to prioritize fixes in the upstream release of the OS and fix only an handful of CVE in previous releases.

For other cases, I would agree that the database size could be an issue. Still I would prefer to have the choice between a scan with potential false positive results and scan with only confirmed vulnerabilities. That is either scan with a lightweight DB and a scan with a "paranoids" DB.

In some cases, I rather handle vulnerabilities with a status "under investigation" from the vendor than handling the case where a vulnerability is exploited and have to provide answers to the following questions to management:

• Aren't we scanning for vulnerabilities. Why it was not detected ?
• Even if there was no fix why haven't we mitigated it to reduce the risks ?
• Since how long we would have been affected by this vulnerability ?