actions/trivy-action
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: actions:0.4.1
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1
..
compare: actions:0.8.0
Branches Tags
actions:master actions:fix-gh-actions actions:bump-trivy-1751468699 actions:update-default-version actions:use-pinned-version actions:update-to-v0.45.0 actions:update-trivy-v0.43.1 actions:bump-trivy-3 actions:bump-trivy actions:add-support-for-trivy-config actions:fix-golden-files actions:exit-code-test actions:update-tarball-docs actions:volume-mounts actions:update-readme actions:revert-45-fix_sarif_duplicate_rule_id actions:knqyf263-patch-1 actions:artifact_types actions:sarif-support-2
actions:0.33.1 actions:0.33.0 actions:0.32.0 actions:0.31.0 actions:0.30.0 actions:0.29.0 actions:0.28.0 actions:0.27.0 actions:0.26.0 actions:0.25.0 actions:0.24.0 actions:0.23.0 actions:0.22.0 actions:0.21.0 actions:0.20.0 actions:0.19.0 actions:0.18.0 actions:0.17.0 actions:0.16.1 actions:0.16.0 actions:0.15.0 actions:0.14.0 actions:0.13.1 actions:0.13.0 actions:0.12.0 actions:0.11.2 actions:0.11.1 actions:0.11.0 actions:0.10.0 actions:0.9.2 actions:0.9.1 actions:0.9.0 actions:0.8.0 actions:0.7.1 actions:0.7.0 actions:0.6.2 actions:0.6.1 actions:0.6.0 actions:0.5.1 actions:0.5.0 actions:0.4.1 actions:0.4.0 actions:0.3.0 actions:0.2.5 actions:0.2.4 actions:0.2.3 actions:0.2.2 actions:0.2.1 actions:0.2.0 actions:0.1.0 actions:0.0.22 actions:0.0.21 actions:0.0.20 actions:0.0.19 actions:0.0.18 actions:0.0.17 actions:0.0.16 actions:0.0.15 actions:0.0.14 actions:0.0.13 actions:0.0.12 actions:0.0.11 actions:v0.0.10 actions:0.0.10 actions:0.0.9 actions:0.0.8 actions:0.0.7 actions:0.0.6 actions:0.0.5 actions:0.0.4 actions:0.0.3 actions:0.0.2 actions:0.0.1

14 Commits
0.4.1 .. 0.8.0

Author SHA1 Message Date
Aibek
9ab158e859 Add 0.34.0 release (#177) 
* bump to ghcr.io/aquasecurity/trivy:0.33.0

* fix tests

* bump to 0.34.0
 2022-10-31 17:18:27 -07:00
Lior Vaisman Argon
e55de85bee Add npm to action Dockerfile (#176) 2022-10-25 07:04:22 -07:00
chejn
d63413b0a4 Fix github dependency submission API call (#162) 
* Update entrypoint.sh

* Update entrypoint.sh

* Update entrypoint.sh
 2022-08-17 14:54:57 -07:00
simar7
1db49f5326 feat(trivy): Bump Trivy to v0.31.0 (#165) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/164

Signed-off-by: Simar <simar@linux.com>

Signed-off-by: Simar <simar@linux.com>
 2022-08-16 17:25:38 -07:00
Engin Diri
12814ff8bc docs: correct format and add output on config scan with sarif (#159) 2022-08-15 11:09:42 -07:00
simar7
cb606dfdb0 fix(sarif): Add timeout and security-checks for sarif (#156) 2022-08-03 17:32:25 -07:00
Carol Valencia
0d7cf2ddfb chore: improve message output sbom with gh (#145) 
* fix: merge with master- entrypoint

* chore: gitignore .vscode

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-08-02 15:24:58 -07:00
simar7
5144f05a8d fix(config): Drop mixing of options with yaml config. (#148) 
Also adds some documentation explaining how the config
and flags are used in conjunction with each other.

Fixes: https://github.com/aquasecurity/trivy-action/issues/147

Signed-off-by: Simar <simar@linux.com>
 2022-07-29 14:30:07 -07:00
simar7
81b9a6f5ab Update Dockerfile (#152) 2022-07-26 13:08:58 -07:00
simar7
503d3abc15 feat(yaml): Add support for trivy.yaml (#143) 
* feat(yaml): Add support for trivy.yaml

Signed-off-by: Simar <simar@linux.com>

* chore: fixing test using trivy v 0.30.0

* chore(deps): Update to use Trivy v0.30.2

Signed-off-by: Simar <simar@linux.com>

Co-authored-by: carolina valencia <krol3@users.noreply.github.com>
 2022-07-21 16:36:46 -07:00
simar7
0105373003 docs(trivy): Add instructions to scan tarballs. (#134) 
Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:34:09 -07:00
simar7
bc615ae2d7 fix(tests): Update test golden files for Trivy v0.29.2 (#136) 
Fixes: https://github.com/aquasecurity/trivy-action/issues/133
Fixes: https://github.com/aquasecurity/trivy-action/issues/135

Signed-off-by: Simar <simar@linux.com>
 2022-06-29 14:33:23 -07:00
simar7
7b7aa264d8 feat(SBOM): Support SBOM generation (#129) 
* feat(sbom): Support SBOM generation

Signed-off-by: Simar <simar@linux.com>

* Update README.md

Co-authored-by: Itay Shakury <itay@itaysk.com>

* feat(sbom): Send results within the entrypoint.sh

* fix(sbom): Fix leading whitespaces for format var.

Signed-off-by: Simar <simar@linux.com>

* docs(sbom): Update README.md

* docs(sbom): Update README.md

* chore(trivy): Bump Trivy version to 0.29.1

Signed-off-by: Simar <simar@linux.com>

* feat(sbom): Change to fs scan.

Signed-off-by: Simar <simar@linux.com>

* fix(tests): Update SARIF goldenfile

Co-authored-by: Itay Shakury <itay@itaysk.com>
 2022-06-22 11:24:39 -07:00
nleconte-csgroup
63b6e4c61b docs: added missing HTML template and removed deprecated SARIF template (#132) 
* docs: add missing template

* docs: add missing template and remove deprecated

Add missing HTML template
Remove deprecated SARIF template

* docs: remove deprecated SARIF template
 2022-06-21 11:46:57 -07:00
19 changed files with 708 additions and 3848 deletions
Expand all files Collapse all files
.github/workflows/build.yaml
Vendored
+7 -3
View File
@@ -1,7 +1,8 @@
name: "build"
on: [push, pull_request]
env:
TRIVY_VERSION: 0.29.0
TRIVY_VERSION: 0.34.0
BATS_LIB_PATH: '/usr/lib/'
jobs:
build:
name: build
@@ -11,7 +12,10 @@ jobs:
- name: Setup BATS
uses: mig4/setup-bats@v1
with:
bats-version: 1.2.1
bats-version: 1.7.0
- name: Setup Bats libs
uses: brokenpip3/setup-bats-libs@0.1.0
- name: Check out code
uses: actions/checkout@v1
@@ -21,4 +25,4 @@ jobs:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Test
run: bats -r .
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
.gitignore
Vendored
+1
View File
@@ -2,3 +2,4 @@
*.test
!test/data/*.test
trivyignores
.vscode/
Dockerfile
+2 -2
View File
@@ -1,5 +1,5 @@
FROM ghcr.io/aquasecurity/trivy:0.29.0
FROM ghcr.io/aquasecurity/trivy:0.34.0
COPY entrypoint.sh /
RUN apk --no-cache add bash
RUN apk --no-cache add bash curl npm
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
Makefile
+4
View File
@@ -0,0 +1,4 @@
.PHONY: test
test:
BATS_LIB_PATH=/usr/local/lib/ bats -r .
README.md
+149 -45
View File
@@ -19,7 +19,7 @@
## Usage
### Workflow
### Scan CI Pipeline
```yaml
name: build
@@ -31,15 +31,13 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
@@ -51,6 +49,78 @@ jobs:
severity: 'CRITICAL,HIGH'
```
### Scan CI Pipeline (w/ Trivy Config)
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml
```
In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
```yaml
format: json
exit-code: 1
severity: CRITICAL
```
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
- `scan-ref`: If using `fs, repo` scans.
- `image-ref`: If using `image` scan.
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
#### Order of prerference for options
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
- GitHub Action flag
- Environment variable
- Config file
- Default
### Scanning a Tarball
```yaml
name: build
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Generate tarball from image
run: |
docker pull <your-docker-image>
docker save -o vuln-image.tar <your-docker-image>
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@master
with:
input: /github/workspace/vuln-image.tar
severity: 'CRITICAL,HIGH'
```
### Using Trivy with GitHub Code Scanning
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
```yaml
@@ -63,10 +133,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -98,10 +168,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
@@ -137,10 +207,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
@@ -171,10 +241,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner with rootfs command
uses: aquasecurity/trivy-action@master
@@ -206,17 +276,18 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'table'
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
@@ -227,6 +298,38 @@ jobs:
sarif_file: 'trivy-results.sarif'
```
### Using Trivy to generate SBOM
It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo.
In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
```yaml
---
name: Pull Request
on:
push:
branches:
- master
pull_request:
jobs:
build:
name: Checks
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: '<github_pat_token>'
```
### Using Trivy to scan your private registry
It's also possible to scan your private registry with Trivy's built-in image scan. All you have to do is set ENV vars.
@@ -243,10 +346,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -279,10 +382,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -315,10 +418,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -348,10 +451,10 @@ on:
jobs:
build:
name: Build
runs-on: ubuntu-18.04
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
@@ -375,28 +478,29 @@ jobs:
Following inputs can be used as `step.with` keys:
| Name | Type | Default | Description |
|------------------|---------|------------------------------------|-----------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs`|
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.`|
| `format` | String | `table` | Output format (`table`, `json`, `sarif`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`)|
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `security-checks`| String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)|
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| Name | Type | Default | Description |
|-------------------|---------|------------------------------------|-------------------------------------------------------------------------------------------------|
| `scan-type` | String | `image` | Scan type, e.g. `image` or `fs` |
| `input` | String | | Tar reference, e.g. `alpine-latest.tar` |
| `image-ref` | String | | Image reference, e.g. `alpine:3.10.2` |
| `scan-ref` | String | `/github/workspace/` | Scan reference, e.g. `/github/workspace/` or `.` |
| `format` | String | `table` | Output format (`table`, `json`, `sarif`, `github`) |
| `template` | String | | Output template (`@/contrib/gitlab.tpl`, `@/contrib/junit.tpl`) |
| `output` | String | | Save results to a file |
| `exit-code` | String | `0` | Exit code when specified vulnerabilities are found |
| `ignore-unfixed` | Boolean | false | Ignore unpatched/unfixed vulnerabilities |
| `vuln-type` | String | `os,library` | Vulnerability types (os,library) |
| `severity` | String | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Severities of vulnerabilities to scanned for and displayed |
| `skip-dirs` | String | | Comma separated list of directories where traversal is skipped |
| `skip-files` | String | | Comma separated list of files where traversal is skipped |
| `cache-dir` | String | | Cache directory |
| `timeout` | String | `5m0s` | Scan timeout duration |
| `ignore-policy` | String | | Filter vulnerabilities with OPA rego language |
| `hide-progress` | String | `true` | Suppress progress bar |
| `list-all-pkgs` | String | | Output all packages regardless of vulnerability |
| `security-checks` | String | `vuln,secret` | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`) |
| `trivyignores` | String | | comma-separated list of relative paths in repository to one or more `.trivyignore` files |
| `github-pat` | String | | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
[release]: https://github.com/aquasecurity/trivy-action/releases/latest
[release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github
action.yaml
+13 -3
View File
@@ -20,7 +20,6 @@ inputs:
exit-code:
description: 'exit code when vulnerabilities were found'
required: false
default: '0'
ignore-unfixed:
description: 'ignore unfixed vulnerabilities'
required: false
@@ -38,7 +37,7 @@ inputs:
required: false
default: 'table'
template:
description: 'use an existing template for rendering output (@/contrib/sarif.tpl, @/contrib/gitlab.tpl, @/contrib/junit.tpl'
description: 'use an existing template for rendering output (@/contrib/gitlab.tpl, @/contrib/junit.tpl, @/contrib/html.tpl)'
required: false
default: ''
output:
@@ -68,7 +67,6 @@ inputs:
hide-progress:
description: 'hide progress output'
required: false
default: 'true'
list-all-pkgs:
description: 'output all packages regardless of vulnerability'
required: false
@@ -81,6 +79,16 @@ inputs:
description: 'comma-separated list of relative paths in repository to one or more .trivyignore files'
required: false
default: ''
artifact-type:
description: 'input artifact type (image, fs, repo, archive) for SBOM generation'
required: false
github-pat:
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
required: false
trivy-config:
description: 'path to trivy.yaml config'
required: false
runs:
using: 'docker'
image: "Dockerfile"
@@ -105,3 +113,5 @@ runs:
- '-r ${{ inputs.list-all-pkgs }}'
- '-s ${{ inputs.security-checks }}'
- '-t ${{ inputs.trivyignores }}'
- '-u ${{ inputs.github-pat }}'
- '-v ${{ inputs.trivy-config }}'
entrypoint.sh
+32 -6
View File
@@ -1,6 +1,6 @@
#!/bin/bash
set -e
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:" o; do
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
case "${o}" in
a)
export scanType=${OPTARG}
@@ -62,9 +62,16 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:" o; do
t)
export trivyIgnores=${OPTARG}
;;
u)
export githubPAT=${OPTARG}
;;
v)
export trivyConfig=${OPTARG}
;;
esac
done
scanType=$(echo $scanType | tr -d '\r')
export artifactRef="${imageRef}"
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
@@ -84,6 +91,7 @@ fi
SARIF_ARGS=""
ARGS=""
format=$(echo $format | xargs)
if [ $format ];then
ARGS="$ARGS --format $format"
fi
@@ -97,12 +105,13 @@ if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
ARGS="$ARGS --ignore-unfixed"
SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
fi
if [ $vulnType ] && [ "$scanType" != "config" ];then
if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];then
ARGS="$ARGS --vuln-type $vulnType"
SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
fi
if [ $securityChecks ];then
ARGS="$ARGS --security-checks $securityChecks"
SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
fi
if [ $severity ];then
ARGS="$ARGS --severity $severity"
@@ -133,6 +142,7 @@ if [ $trivyIgnores ];then
fi
if [ $timeout ];then
ARGS="$ARGS --timeout $timeout"
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
fi
if [ $ignorePolicy ];then
ARGS="$ARGS --ignore-policy $ignorePolicy"
@@ -153,10 +163,17 @@ if [ "$skipFiles" ];then
done
fi
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
returnCode=$?
trivyConfig=$(echo $trivyConfig | tr -d '\r')
if [ $trivyConfig ]; then
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
trivy --config $trivyConfig ${scanType} ${artifactRef}
returnCode=$?
else
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
echo "Global options: " "${GLOBAL_ARGS}"
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
returnCode=$?
fi
# SARIF is special. We output all vulnerabilities,
# regardless of severity level specified in this report.
@@ -166,4 +183,13 @@ if [[ "${format}" == "sarif" ]]; then
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
fi
if [[ "${format}" == "github" ]]; then
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
printf "\n Uploading GitHub Dependency Snapshot"
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
else
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
fi
fi
exit $returnCode
test/data/config-sarif.test
+80
View File
@@ -0,0 +1,80 @@
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "DS002",
"name": "Misconfiguration",
"shortDescription": {
"text": "Image user should not be \u0026#39;root\u0026#39;"
},
"fullDescription": {
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
"help": {
"text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
},
"properties": {
"precision": "very-high",
"security-severity": "8.0",
"tags": [
"misconfiguration",
"security",
"HIGH"
]
}
}
],
"version": "0.34.0"
}
},
"results": [
{
"ruleId": "DS002",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "Dockerfile",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
},
"message": {
"text": "Dockerfile"
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"originalUriBaseIds": {
"ROOTPATH": {
"uri": "file:///"
}
}
}
]
}
test/data/config.test
+1
View File
@@ -28,6 +28,7 @@
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
test/data/fs-scheck.test
+1
View File
@@ -28,6 +28,7 @@
{
"Type": "Dockerfile Security Check",
"ID": "DS002",
"AVDID": "AVD-DS-0002",
"Title": "Image user should not be 'root'",
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
test/data/fs.test
-17
View File
@@ -1,17 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
}
}
test/data/image-sarif.test
+14 -878
View File
@@ -10,102 +10,21 @@
"name": "Trivy",
"rules": [
{
"id": "CVE-2018-14618",
"id": "CVE-2021-36159",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-14618"
"text": "CVE-2021-36159"
},
"fullDescription": {
"text": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
"text": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the \u0026#39;\\0\u0026#39; terminator one byte too late."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-14618",
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-36159",
"help": {
"text": "Vulnerability CVE-2018-14618\nSeverity: CRITICAL\nPackage: curl\nFixed Version: 7.61.1-r0\nLink: [CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)\ncurl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
"markdown": "**Vulnerability CVE-2018-14618**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|curl|7.61.1-r0|[CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)|\n\ncurl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)"
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-16839",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-16839"
},
"fullDescription": {
"text": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-16839",
"help": {
"text": "Vulnerability CVE-2018-16839\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)\nCurl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
"markdown": "**Vulnerability CVE-2018-16839**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)|\n\nCurl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-16840",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-16840"
},
"fullDescription": {
"text": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an \u0026#39;easy\u0026#39; handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-16840",
"help": {
"text": "Vulnerability CVE-2018-16840\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)\nA heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.",
"markdown": "**Vulnerability CVE-2018-16840**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)|\n\nA heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-16842",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-16842"
},
"fullDescription": {
"text": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-16842",
"help": {
"text": "Vulnerability CVE-2018-16842\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)\nCurl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
"markdown": "**Vulnerability CVE-2018-16842**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r1|[CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)|\n\nCurl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service."
"text": "Vulnerability CVE-2021-36159\nSeverity: CRITICAL\nPackage: apk-tools\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"markdown": "**Vulnerability CVE-2021-36159**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|apk-tools|2.10.7-r0|[CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)|\n\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late."
},
"properties": {
"precision": "very-high",
@@ -116,814 +35,31 @@
"CRITICAL"
]
}
},
{
"id": "CVE-2019-3822",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-3822"
},
"fullDescription": {
"text": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large \u0026#39;nt response\u0026#39; data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a \u0026#39;large value\u0026#39; needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-3822",
"help": {
"text": "Vulnerability CVE-2019-3822\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)\nlibcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.",
"markdown": "**Vulnerability CVE-2019-3822**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r2|[CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)|\n\nlibcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-5481",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-5481"
},
"fullDescription": {
"text": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-5481",
"help": {
"text": "Vulnerability CVE-2019-5481\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
"markdown": "**Vulnerability CVE-2019-5481**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r3|[CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)|\n\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-5482",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-5482"
},
"fullDescription": {
"text": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-5482",
"help": {
"text": "Vulnerability CVE-2019-5482\nSeverity: CRITICAL\nPackage: libcurl\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
"markdown": "**Vulnerability CVE-2019-5482**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libcurl|7.61.1-r3|[CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)|\n\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2018-17456",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2018-17456"
},
"fullDescription": {
"text": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \u0026#34;git clone\u0026#34; of a superproject if a .gitmodules file has a URL field beginning with a \u0026#39;-\u0026#39; character."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2018-17456",
"help": {
"text": "Vulnerability CVE-2018-17456\nSeverity: CRITICAL\nPackage: git\nFixed Version: 2.15.3-r0\nLink: [CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)\nGit before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
"markdown": "**Vulnerability CVE-2018-17456**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|git|2.15.3-r0|[CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)|\n\nGit before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-1353",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-1353"
},
"fullDescription": {
"text": "An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \u0026#34;WSL\u0026#34;) while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-1353",
"help": {
"text": "Vulnerability CVE-2019-1353\nSeverity: CRITICAL\nPackage: git\nFixed Version: 2.15.4-r0\nLink: [CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)\nAn issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.",
"markdown": "**Vulnerability CVE-2019-1353**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|git|2.15.4-r0|[CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)|\n\nAn issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-12900",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-12900"
},
"fullDescription": {
"text": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-12900",
"help": {
"text": "Vulnerability CVE-2019-12900\nSeverity: CRITICAL\nPackage: libbz2\nFixed Version: 1.0.6-r7\nLink: [CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.",
"markdown": "**Vulnerability CVE-2019-12900**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libbz2|1.0.6-r7|[CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)|\n\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-14697",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-14697"
},
"fullDescription": {
"text": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application\u0026#39;s source code."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-14697",
"help": {
"text": "Vulnerability CVE-2019-14697\nSeverity: CRITICAL\nPackage: musl-utils\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
"markdown": "**Vulnerability CVE-2019-14697**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|musl-utils|1.1.18-r4|[CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)|\n\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-8457",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-8457"
},
"fullDescription": {
"text": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-8457",
"help": {
"text": "Vulnerability CVE-2019-8457\nSeverity: CRITICAL\nPackage: sqlite-libs\nFixed Version: 3.25.3-r1\nLink: [CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
"markdown": "**Vulnerability CVE-2019-8457**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|sqlite-libs|3.25.3-r1|[CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)|\n\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2020-25576",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2020-25576"
},
"fullDescription": {
"text": "An issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2020-25576",
"help": {
"text": "Vulnerability CVE-2020-25576\nSeverity: CRITICAL\nPackage: rand_core\nFixed Version: 0.3.1, 0.4.2\nLink: [CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)\nAn issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints.",
"markdown": "**Vulnerability CVE-2020-25576**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|rand_core|0.3.1, 0.4.2|[CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)|\n\nAn issue was discovered in the rand_core crate before 0.4.2 for Rust. Casting of byte slices to integer slices mishandles alignment constraints."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-15551",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-15551"
},
"fullDescription": {
"text": "An issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-15551",
"help": {
"text": "Vulnerability CVE-2019-15551\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.10\nLink: [CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity.",
"markdown": "**Vulnerability CVE-2019-15551**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.10|[CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)|\n\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is a double free for certain grow attempts with the current capacity."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2019-15554",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2019-15554"
},
"fullDescription": {
"text": "An issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2019-15554",
"help": {
"text": "Vulnerability CVE-2019-15554\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.10\nLink: [CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity.",
"markdown": "**Vulnerability CVE-2019-15554**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.10|[CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)|\n\nAn issue was discovered in the smallvec crate before 0.6.10 for Rust. There is memory corruption for certain grow attempts with less than the current capacity."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
{
"id": "CVE-2021-25900",
"name": "LanguageSpecificPackageVulnerability",
"shortDescription": {
"text": "CVE-2021-25900"
},
"fullDescription": {
"text": "An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-25900",
"help": {
"text": "Vulnerability CVE-2021-25900\nSeverity: CRITICAL\nPackage: smallvec\nFixed Version: 0.6.14, 1.6.1\nLink: [CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)\nAn issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.",
"markdown": "**Vulnerability CVE-2021-25900**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|smallvec|0.6.14, 1.6.1|[CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)|\n\nAn issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many."
},
"properties": {
"precision": "very-high",
"security-severity": "9.8",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
}
],
"version": "0.29.0"
"version": "0.34.0"
}
},
"results": [
{
"ruleId": "CVE-2018-14618",
"ruleId": "CVE-2021-36159",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-14618\nSeverity: CRITICAL\nFixed Version: 7.61.1-r0\nLink: [CVE-2018-14618](https://avd.aquasec.com/nvd/cve-2018-14618)"
"text": "Package: apk-tools\nInstalled Version: 2.10.6-r0\nVulnerability CVE-2021-36159\nSeverity: CRITICAL\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uri": "library/alpine",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16839",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16839\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16840",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16840\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16842",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2018-16842\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-3822",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-3822\nSeverity: CRITICAL\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5481",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-5481\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5482",
"ruleIndex": 6,
"level": "error",
"message": {
"text": "Package: curl\nInstalled Version: 7.61.0-r0\nVulnerability CVE-2019-5482\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-17456",
"ruleIndex": 7,
"level": "error",
"message": {
"text": "Package: git\nInstalled Version: 2.15.2-r0\nVulnerability CVE-2018-17456\nSeverity: CRITICAL\nFixed Version: 2.15.3-r0\nLink: [CVE-2018-17456](https://avd.aquasec.com/nvd/cve-2018-17456)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-1353",
"ruleIndex": 8,
"level": "error",
"message": {
"text": "Package: git\nInstalled Version: 2.15.2-r0\nVulnerability CVE-2019-1353\nSeverity: CRITICAL\nFixed Version: 2.15.4-r0\nLink: [CVE-2019-1353](https://avd.aquasec.com/nvd/cve-2019-1353)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-12900",
"ruleIndex": 9,
"level": "error",
"message": {
"text": "Package: libbz2\nInstalled Version: 1.0.6-r6\nVulnerability CVE-2019-12900\nSeverity: CRITICAL\nFixed Version: 1.0.6-r7\nLink: [CVE-2019-12900](https://avd.aquasec.com/nvd/cve-2019-12900)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16839",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16839\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16839](https://avd.aquasec.com/nvd/cve-2018-16839)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16840",
"ruleIndex": 2,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16840\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16840](https://avd.aquasec.com/nvd/cve-2018-16840)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2018-16842",
"ruleIndex": 3,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2018-16842\nSeverity: CRITICAL\nFixed Version: 7.61.1-r1\nLink: [CVE-2018-16842](https://avd.aquasec.com/nvd/cve-2018-16842)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-3822",
"ruleIndex": 4,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-3822\nSeverity: CRITICAL\nFixed Version: 7.61.1-r2\nLink: [CVE-2019-3822](https://avd.aquasec.com/nvd/cve-2019-3822)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5481",
"ruleIndex": 5,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-5481\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5481](https://avd.aquasec.com/nvd/cve-2019-5481)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-5482",
"ruleIndex": 6,
"level": "error",
"message": {
"text": "Package: libcurl\nInstalled Version: 7.61.1-r0\nVulnerability CVE-2019-5482\nSeverity: CRITICAL\nFixed Version: 7.61.1-r3\nLink: [CVE-2019-5482](https://avd.aquasec.com/nvd/cve-2019-5482)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-14697",
"ruleIndex": 10,
"level": "error",
"message": {
"text": "Package: musl\nInstalled Version: 1.1.18-r3\nVulnerability CVE-2019-14697\nSeverity: CRITICAL\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-14697",
"ruleIndex": 10,
"level": "error",
"message": {
"text": "Package: musl-utils\nInstalled Version: 1.1.18-r3\nVulnerability CVE-2019-14697\nSeverity: CRITICAL\nFixed Version: 1.1.18-r4\nLink: [CVE-2019-14697](https://avd.aquasec.com/nvd/cve-2019-14697)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-8457",
"ruleIndex": 11,
"level": "error",
"message": {
"text": "Package: sqlite-libs\nInstalled Version: 3.21.0-r1\nVulnerability CVE-2019-8457\nSeverity: CRITICAL\nFixed Version: 3.25.3-r1\nLink: [CVE-2019-8457](https://avd.aquasec.com/nvd/cve-2019-8457)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "knqyf263/vuln-image:1.2.3",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2020-25576",
"ruleIndex": 12,
"level": "error",
"message": {
"text": "Package: rand_core\nInstalled Version: 0.4.0\nVulnerability CVE-2020-25576\nSeverity: CRITICAL\nFixed Version: 0.3.1, 0.4.2\nLink: [CVE-2020-25576](https://avd.aquasec.com/nvd/cve-2020-25576)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-15551",
"ruleIndex": 13,
"level": "error",
"message": {
"text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2019-15551\nSeverity: CRITICAL\nFixed Version: 0.6.10\nLink: [CVE-2019-15551](https://avd.aquasec.com/nvd/cve-2019-15551)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2019-15554",
"ruleIndex": 14,
"level": "error",
"message": {
"text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2019-15554\nSeverity: CRITICAL\nFixed Version: 0.6.10\nLink: [CVE-2019-15554](https://avd.aquasec.com/nvd/cve-2019-15554)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "CVE-2021-25900",
"ruleIndex": 15,
"level": "error",
"message": {
"text": "Package: smallvec\nInstalled Version: 0.6.9\nVulnerability CVE-2021-25900\nSeverity: CRITICAL\nFixed Version: 0.6.14, 1.6.1\nLink: [CVE-2021-25900](https://avd.aquasec.com/nvd/cve-2021-25900)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "rust-app/Cargo.lock",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
"startLine": 1,
"startColumn": 1,
"endLine": 1,
"endColumn": 1
}
}
}
test/data/image-trivyignores.test
+89 -1364
View File
File diff suppressed because it is too large Load Diff
test/data/image.test
+101 -1478
View File
File diff suppressed because it is too large Load Diff
test/data/repo.test
+44 -1
View File
@@ -26,7 +26,50 @@
"Title": "GitHub Personal Access Token",
"StartLine": 5,
"EndLine": 5,
"Match": "export GITHUB_PAT=*****"
"Code": {
"Lines": [
{
"Number": 3,
"Content": "export AWS_ACCESS_KEY_ID=1234567",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
"FirstCause": false,
"LastCause": false
},
{
"Number": 4,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
},
{
"Number": 5,
"Content": "export GITHUB_PAT=****************************************",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "export GITHUB_PAT=****************************************",
"FirstCause": true,
"LastCause": true
},
{
"Number": 6,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
}
]
},
"Match": "export GITHUB_PAT=****************************************",
"Layer": {}
}
]
}
test/data/rootfs.test
-17
View File
@@ -1,17 +0,0 @@
{
"SchemaVersion": 2,
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
}
}
test/data/trivy.yaml
+5
View File
@@ -0,0 +1,5 @@
format: json
severity: CRITICAL
vulnerability:
type: os
output: yamlconfig.test
test/data/yamlconfig.test
+105
View File
@@ -0,0 +1,105 @@
{
"SchemaVersion": 2,
"ArtifactName": "alpine:3.10",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.10.9",
"EOSL": true
},
"ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
"DiffIDs": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
],
"RepoTags": [
"alpine:3.10"
],
"RepoDigests": [
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
],
"ImageConfig": {
"architecture": "amd64",
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
"created": "2021-04-14T19:20:05.338397761Z",
"docker_version": "19.03.12",
"history": [
{
"created": "2021-04-14T19:20:04.987219124Z",
"created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
},
{
"created": "2021-04-14T19:20:05.338397761Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
]
},
"config": {
"Cmd": [
"/bin/sh"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
}
}
},
"Results": [
{
"Target": "alpine:3.10 (alpine 3.10.9)",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2021-36159",
"PkgID": "apk-tools@2.10.6-r0",
"PkgName": "apk-tools",
"InstalledVersion": "2.10.6-r0",
"FixedVersion": "2.10.7-r0",
"Layer": {
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-125"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"V2Score": 6.4,
"V3Score": 9.1
}
},
"References": [
"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
],
"PublishedDate": "2021-08-03T14:15:00Z",
"LastModifiedDate": "2021-10-18T12:19:00Z"
}
]
}
]
}
test/test.bats
+60 -34
View File
@@ -1,57 +1,83 @@
#!/usr/bin/env bats
bats_load_library bats-support
bats_load_library bats-assert
bats_load_library bats-file
@test "trivy image" {
# trivy image --severity CRITICAL --format json --output image.test knqyf263/vuln-image:1.2.3
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image.test' '-g CRITICAL'
result="$(diff ./test/data/image.test image.test)"
[ "$result" == '' ]
@test "trivy repo with securityCheck secret only" {
# trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
run diff repo.test ./test/data/repo.test
echo "$output"
assert_files_equal repo.test ./test/data/repo.test
}
@test "trivy image sarif report" {
# trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b sarif' '-h image-sarif.test' '-g CRITICAL'
result="$(diff ./test/data/image-sarif.test image-sarif.test)"
[ "$result" == '' ]
@test "trivy image" {
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
run diff image.test ./test/data/image.test
echo "$output"
assert_files_equal image.test ./test/data/image.test
}
@test "trivy config sarif report" {
# trivy config --format sarif --output config-sarif.test .
run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
run diff config-sarif.test ./test/data/config-sarif.test
echo "$output"
assert_files_equal config-sarif.test ./test/data/config-sarif.test
}
@test "trivy config" {
# trivy config --format json --output config.test .
./entrypoint.sh '-a config' '-j .' '-b json' '-h config.test'
result="$(diff ./test/data/config.test config.test)"
[ "$result" == '' ]
run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
run diff config.test ./test/data/config.test
echo "$output"
assert_files_equal config.test ./test/data/config.test
}
@test "trivy rootfs" {
# trivy rootfs --format json --output rootfs.test .
./entrypoint.sh '-a rootfs' '-j .' '-b json' '-h rootfs.test'
result="$(diff ./test/data/rootfs.test rootfs.test)"
[ "$result" == '' ]
# trivy rootfs --output rootfs.test .
run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
run diff rootfs.test ./test/data/rootfs.test
echo "$output"
assert_files_equal rootfs.test ./test/data/rootfs.test
}
@test "trivy fs" {
# trivy fs --format json --output fs.test .
./entrypoint.sh '-a fs' '-j .' '-b json' '-h fs.test'
result="$(diff ./test/data/fs.test fs.test)"
[ "$result" == '' ]
# trivy fs --output fs.test .
run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
run diff fs.test ./test/data/fs.test
echo "$output"
assert_files_equal fs.test ./test/data/fs.test
}
@test "trivy fs with securityChecks option" {
# trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
./entrypoint.sh '-a fs' '-j .' '-b json' '-s vuln,config,secret' '-h fs-scheck.test'
result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
[ "$result" == '' ]
run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
run diff fs-scheck.test ./test/data/fs-scheck.test
echo "$output"
assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
}
@test "trivy repo with securityCheck secret only" {
# trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
result="$(diff ./test/data/repo.test repo.test)"
[ "$result" == '' ]
}
@test "trivy image with trivyIgnores option" {
# cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --format json --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-b json' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
[ "$result" == '' ]
# cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
run diff image-trivyignores.test ./test/data/image-trivyignores.test
echo "$output"
assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
}
@test "trivy image with sbom output" {
# trivy image --format github knqyf263/vuln-image:1.2.3
run ./entrypoint.sh "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
}
@test "trivy image with trivy.yaml config" {
# trivy --config=./test/data/trivy.yaml image alpine:3.10
run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
run diff yamlconfig.test ./test/data/yamlconfig.test
echo "$output"
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
}