False positives on Bitnami packages due to versions with revisions #5622
Replies: 2 comments 3 replies
-
|
In the branch below on my fork, I implemented a possible solution for this based on a new "comparer" for Bitnami packages: This is based on some changes I introduced at a go-version module fork, see: |
Beta Was this translation helpful? Give feedback.
-
|
From the Trivy perspective, it's not false detection as Trivy just follows the semantic versioning. If Bitnami wants to use revisions, you should define another versioning or pick up the existing versioning compatible with Bitnami's versioning. For example, RPM has revisions (called DEB also has If Bitnami versioning is different from any existing versioning, then it should clearly define the versioning specifications (e.g. PEP440. The versioning is crucial for vulnerability scanning. IMHO, I hope no more new versioning will appear 😄 Many vendors and languages adopt different versioning, and I implemented a bunch of libraries. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @knqyf263 ! I think we can use debian versioning. |
Beta Was this translation helpful? Give feedback.
-
|
Looks good! |
Beta Was this translation helpful? Give feedback.
-
|
I can confirm this issue is solved on 0.48.1 that includes the fix below: |
Beta Was this translation helpful? Give feedback.
-
IDs
none
Description
Bitnami packages use semver for versioning. This versioning is built based on the upstream project's versioning appending a revision (
-X) to reflect changes on Bitnami packaging (e.g. if the compilation recipe used to build binaries changed).For instance, if we inspect this Dockerfile used to build
bitnami/apachecontainer, we can see the versioning for "apache" package is2.4.58-1, where-1indicates the revision.However, according to the semver spec, these revision are considered pre-releases and this is problematic since the semver package used by Trivy for comparing versions will consider any
x.y.z-Rversion lower thanx.y.z. And, reverting this versioning would have a high cost on Bitnami systems.Currently, this is not a problem given both vulnerabilities listed at Bitnami Vulnerability Database and SPDX files shipped on Bitnami containers ignore revisions when listing packages. That said, we (Bitnami team) would like to start using revisions on both the vulnerability feed and SBOM(s) since there are use cases where a CVE can be fixed at a specific revision (e.g. using certain compilation flags to mitigate it).
Let's use this issue to discuss possible alternatives to avoid false positives detections if revisions are used.
Reproduction Steps
{ "SPDXID": "SPDXRef-XXX", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-11-10T15:04:13.848Z", "creators": [ "Organization: VMware, Inc." ] }, "name": "SPDX document for XXX 0.1.0", "dataLicense": "CC0-1.0", "documentDescribes": [ "SPDXRef-XXX" ], "documentNamespace": "XXX-0.1.0", "packages": [ { "SPDXID": "SPDXRef-gdal", "name": "GDAL", "versionInfo": "3.4.0", "downloadLocation": "https://github.com/OSGeo/gdal/releases/download/v3.4.0/gdal-3.4.0.tar.gz", "licenseConcluded": "MIT", "licenseDeclared": "MIT", "filesAnalyzed": false, "externalRefs": [ { "referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:*:osgeo:gdal:3.4.0:*:*:*:*:*:*:*" }, { "referenceCategory": "PACKAGE_MANAGER", "referenceType": "purl", "referenceLocator": "pkg:bitnami/[email protected]" } ], "copyrightText": "NOASSERTION" } ], "files": [], "relationships": [] }$ trivy -q sbom gdal.spdxshows no vulnerabilities.$ trivy -q sbom gdal.spdxagain:Target
Container Image or SBOM
Scanner
Vulnerability
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions