False possitive on different frameworks

[msmolka]

IDs

CVE-2024-30105

Description

Based on information: dotnet/announcements#315
this is only affecting .NET 8
I have multitarget project with different version of related packages: packages.lock.json

Error is reported for not affected .net frameworks

Reproduction Steps

Added false positive packages file

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu

Debug Output

2024-07-10T14:23:50.0479095Z ##[section]Starting: Run Trivy Scan
2024-07-10T14:23:50.0483731Z ==============================================================================
2024-07-10T14:23:50.0483853Z Task         : Trivy: Take control of your application security
2024-07-10T14:23:50.0484120Z Description  : Trivy is the world’s most popular open source vulnerability and misconfiguration scanner. It is reliable, fast, extremely easy to use, and it works wherever you need it.
2024-07-10T14:23:50.0484382Z Version      : 1.4.1
2024-07-10T14:23:50.0484457Z Author       : Aqua Security
2024-07-10T14:23:50.0484523Z Help         : [Learn more about this task](https://github.com/aquasecurity/trivy-azure-pipelines-task)
2024-07-10T14:23:50.0484653Z ==============================================================================
2024-07-10T14:23:50.3497035Z Preparing output location...
2024-07-10T14:23:50.3525582Z Run requested using docker...
2024-07-10T14:23:50.3551285Z Configuring options for image scan...
2024-07-10T14:23:50.3567294Z Running Trivy...
2024-07-10T14:23:50.3572590Z [command]/usr/bin/docker run --rm -v /home/vsts/.docker:/root/.docker -v /tmp:/tmp -v /home/vsts/work/1/s:/src --workdir /src aquasec/trivy:latest fs --exit-code 1 --format json --output /tmp/trivy-results-0.3906425815844079.json --security-checks vuln,config,secret --ignore-unfixed --debug .
2024-07-10T14:24:01.2196037Z Unable to find image 'aquasec/trivy:latest' locally
2024-07-10T14:24:01.2196241Z latest: Pulling from aquasec/trivy
2024-07-10T14:24:01.2196335Z d25f557d7f31: Already exists
2024-07-10T14:24:01.2196434Z 037a6c10ef0d: Pulling fs layer
2024-07-10T14:24:01.2196521Z 03a75a75154a: Pulling fs layer
2024-07-10T14:24:01.2196636Z c1cc37e8c713: Pulling fs layer
2024-07-10T14:24:01.2196725Z c1cc37e8c713: Verifying Checksum
2024-07-10T14:24:01.2196824Z c1cc37e8c713: Download complete
2024-07-10T14:24:01.2196914Z 037a6c10ef0d: Verifying Checksum
2024-07-10T14:24:01.2197002Z 037a6c10ef0d: Download complete
2024-07-10T14:24:01.2197098Z 03a75a75154a: Verifying Checksum
2024-07-10T14:24:01.2197194Z 03a75a75154a: Download complete
2024-07-10T14:24:01.2197290Z 037a6c10ef0d: Pull complete
2024-07-10T14:24:01.2197375Z 03a75a75154a: Pull complete
2024-07-10T14:24:01.2197467Z c1cc37e8c713: Pull complete
2024-07-10T14:24:01.2197583Z Digest: sha256:53e6715d5c67e80e629f0dfa3bd6ed2bc74bdcaa4bdbe934a5a1811a249db6b9
2024-07-10T14:24:01.2197712Z Status: Downloaded newer image for aquasec/trivy:latest
2024-07-10T14:24:01.2197928Z 2024/07/10 14:23:54 WARN '--security-checks' is deprecated. Use '--scanners' instead.
2024-07-10T14:24:01.2198110Z 2024-07-10T14:23:54Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-07-10T14:24:01.2198322Z 2024-07-10T14:23:54Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-10T14:24:01.2198629Z 2024-07-10T14:23:54Z	WARN	'--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.
2024-07-10T14:24:01.2198958Z 2024-07-10T14:23:54Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2024-07-10T14:24:01.2199315Z 2024-07-10T14:23:54Z	DEBUG	There is no valid metadata file	err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2024-07-10T14:24:01.2199597Z 2024-07-10T14:23:54Z	INFO	Need to update DB
2024-07-10T14:24:01.2199862Z 2024-07-10T14:23:54Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T14:24:01.2200111Z 2024-07-10T14:23:54Z	DEBUG	No metadata file
2024-07-10T14:24:01.2201874Z 26.85 MiB / 49.54 MiB [--------------------------------->___________________________] 54.20% ? p/s ?49.54 MiB / 49.54 MiB [----------------------------------------------------------->] 100.00% ? p/s ?49.54 MiB / 49.54 MiB [----------------------------------------------------------->] 100.00% ? p/s ?49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 37.82 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 37.82 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 37.82 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 35.38 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 35.38 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 35.38 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 33.10 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [---------------------------------------------->] 100.00% 33.10 MiB p/s ETA 0s49.54 MiB / 49.54 MiB [-------------------------------------------------] 100.00% 24.44 MiB p/s 2.2s2024-07-10T14:23:57Z	DEBUG	Updating database metadata...
2024-07-10T14:24:01.2203565Z 2024-07-10T14:23:57Z	DEBUG	DB info	schema=2 updated_at=2024-07-10T12:18:11.318231922Z next_update=2024-07-10T18:18:11.3182311Z downloaded_at=2024-07-10T14:23:57.682418883Z
2024-07-10T14:24:01.2203904Z 2024-07-10T14:23:57Z	INFO	Vulnerability scanning is enabled
2024-07-10T14:24:01.2204166Z 2024-07-10T14:23:57Z	DEBUG	Vulnerability type	type=[os library]
2024-07-10T14:24:01.2204402Z 2024-07-10T14:23:57Z	INFO	Misconfiguration scanning is enabled
2024-07-10T14:24:01.2204741Z 2024-07-10T14:23:57Z	DEBUG	Failed to open the check metadata	err="open /root/.cache/trivy/policy/metadata.json: no such file or directory"
2024-07-10T14:24:01.2205024Z 2024-07-10T14:23:57Z	INFO	Need to update the built-in policies
2024-07-10T14:24:01.2205314Z 2024-07-10T14:23:57Z	INFO	Downloading the built-in policies...
2024-07-10T14:24:01.2205603Z 2024-07-10T14:23:57Z	DEBUG	Loading check bundle	repository="ghcr.io/aquasecurity/trivy-checks:0"
2024-07-10T14:24:01.2206153Z 74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-10T14:23:58Z	DEBUG	Digest of the built-in policies	digest="sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3"
2024-07-10T14:24:01.2206523Z 2024-07-10T14:23:58Z	DEBUG	Policies successfully loaded from disk
2024-07-10T14:24:01.2206762Z 2024-07-10T14:23:58Z	INFO	Secret scanning is enabled
2024-07-10T14:24:01.2207052Z 2024-07-10T14:23:58Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-10T14:24:01.2207435Z 2024-07-10T14:23:58Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-10T14:24:01.2207865Z 2024-07-10T14:23:58Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-10T14:24:01.2208191Z 2024-07-10T14:23:58Z	DEBUG	Initializing scan cache...	type="memory"
2024-07-10T14:24:01.2208471Z 2024-07-10T14:23:58Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-07-10T14:24:01.2208779Z 2024-07-10T14:23:58Z	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-10T14:24:01.2209038Z 2024-07-10T14:23:58Z	DEBUG	Skipping path	path=".git"
2024-07-10T14:24:01.2209308Z 2024-07-10T14:23:58Z	DEBUG	Scanning files for misconfigurations...	scanner="CloudFormation"
2024-07-10T14:24:01.2209594Z 2024-07-10T14:23:58Z	DEBUG	Scanning files for misconfigurations...	scanner="Helm"
2024-07-10T14:24:01.2209922Z 2024-07-10T14:23:58Z	DEBUG	[misconf] 23:58.689498228 helm.scanner.rego                Overriding filesystem for checks!
2024-07-10T14:24:01.2210271Z 2024-07-10T14:23:58Z	DEBUG	[misconf] 23:58.690822329 helm.scanner.rego                Loaded 3 embedded libraries.
2024-07-10T14:24:01.2210603Z 2024-07-10T14:23:58Z	DEBUG	[misconf] 23:58.750807097 helm.scanner.rego                Loaded 192 embedded policies.
2024-07-10T14:24:01.2211014Z 2024-07-10T14:23:58Z	DEBUG	[misconf] 23:58.838777697 helm.scanner.rego                Loaded 195 checks from disk.
2024-07-10T14:24:01.2211349Z 2024-07-10T14:23:58Z	DEBUG	[misconf] 23:58.839346598 helm.scanner.rego                Overriding filesystem for data!
2024-07-10T14:24:01.2211609Z 2024-07-10T14:23:59Z	DEBUG	OS is not detected.
2024-07-10T14:24:01.2211880Z 2024-07-10T14:23:59Z	DEBUG	Detected OS: unknown
2024-07-10T14:24:01.2212126Z 2024-07-10T14:23:59Z	INFO	Number of language-specific files	num=7
2024-07-10T14:24:01.2212369Z 2024-07-10T14:23:59Z	INFO	[nuget] Detecting vulnerabilities...
2024-07-10T14:24:01.2212700Z 2024-07-10T14:23:59Z	DEBUG	[nuget] Scanning packages for vulnerabilities	file_path="*/packages.lock.json"
2024-07-10T14:24:01.2213081Z 2024-07-10T14:23:59Z	DEBUG	[nuget] Scanning packages for vulnerabilities	file_path="*/packages.lock.json"
2024-07-10T14:24:01.2213487Z 2024-07-10T14:23:59Z	DEBUG	[nuget] Scanning packages for vulnerabilities	file_path="*/packages.lock.json"
2024-07-10T14:24:01.2213905Z 2024-07-10T14:23:59Z	DEBUG	[nuget] Scanning packages for vulnerabilities	file_path="*/packages.lock.json"
2024-07-10T14:24:01.2214311Z 2024-07-10T14:23:59Z	DEBUG	[nuget] Scanning packages for vulnerabilities	file_path="*/packages.lock.json"
2024-07-10T14:24:01.2214714Z 2024-07-10T14:23:59Z	DEBUG	[nuget] Scanning packages for vulnerabilities	file_path="*/packages.lock.json"
2024-07-10T14:24:01.2215107Z 2024-07-10T14:23:59Z	DEBUG	[nuget] Scanning packages for vulnerabilities	file_path="*/packages.lock.json"
2024-07-10T14:24:01.2215396Z 2024-07-10T14:23:59Z	INFO	Detected config files	num=0
2024-07-10T14:24:01.2215633Z 2024-07-10T14:23:59Z	DEBUG	Found an ignore file	path=".trivyignore"
2024-07-10T14:24:01.2247195Z ##[error]Failed: Trivy detected problems.
2024-07-10T14:24:01.2262024Z Publishing JSON results...
2024-07-10T14:24:01.2268781Z Done!
2024-07-10T14:24:01.2361010Z ##[section]Finishing: Run Trivy Scan

Version

1.4.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @msmolka
Thanks for your report!

Unfortunately, GitHub advisory database (we use this db for .NET vulns (https://aquasecurity.github.io/trivy/v0.53/docs/scanner/vulnerability/#data-sources_1)) doesn't contain field for version of .NET (only advisory details contains info about this) - https://github.com/github/advisory-database/blob/6df7efcdc10c4eb50944a87965dd1e6080791acf/advisories/github-reviewed/2024/07/GHSA-hh2w-p6rv-4g7w/GHSA-hh2w-p6rv-4g7w.json#L4

So we have no way to get this information (there are no rules for getting detailed information, and we can't get the .net version from this field).

You can write module or use VEX to skip this CVE for your case.

Regards, Dmitriy

[msmolka]

But you have ranges here:

So, anything lower than 7.0.0 should not be affected, So only resolved between 7.0.0 and 8.0.3 should report bug

[DmitriyLewen]

You are right!

[DmitriyLewen]

I checked your file.
Trivy doesn't detect CVE-2024-30105 for your file:

➜ trivy fs ./packages.lock.json 
2024-07-11T16:30:39+06:00	INFO	Reading a module...	path="pybin/detector/pybin.wasm"
2024-07-11T16:30:39+06:00	INFO	Module loaded	path="pybin/detector/pybin.wasm"
2024-07-11T16:30:39+06:00	INFO	Registering WASM module	name="pybin-detector" version=1
2024-07-11T16:30:39+06:00	INFO	Vulnerability scanning is enabled
2024-07-11T16:30:39+06:00	INFO	Secret scanning is enabled
2024-07-11T16:30:39+06:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-11T16:30:39+06:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-11T16:30:39+06:00	INFO	Number of language-specific files	num=1
2024-07-11T16:30:39+06:00	INFO	[nuget] Detecting vulnerabilities...

[msmolka]

I'm using devOps trivy. It looks it is a bit outdated. Will try new version first, sorry for inconvenience, I need to double check env then

[msmolka]

It looks there is still old version on marketplace::

[DmitriyLewen]

hmm... we are not using major version (v0.Y.Z).
So you need to understand which version of Trivy you are using.

[DmitriyLewen]

I think i found - https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-official

@simar7 I saw that you merged PRs in https://github.com/aquasecurity/trivy-azure-pipelines-task
Can you take a look?
UUIC you bumped Trivy version (aquasecurity/trivy-azure-pipelines-task#67) and new release is required.
also it may be necessary to bump version on marketplace, since version on marketplace shows "1.4.1" and GH repository has version "1.4.2".

[msmolka]

Any update on this? I really would like to be able to use trivy again in proper way :(