Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
9ab158e859 | ||
|
|
e55de85bee | ||
|
|
d63413b0a4 | ||
|
|
1db49f5326 | ||
|
|
12814ff8bc | ||
|
|
cb606dfdb0 | ||
|
|
0d7cf2ddfb | ||
|
|
5144f05a8d | ||
|
|
81b9a6f5ab | ||
|
|
503d3abc15 |
Vendored
+4
-9
@@ -1,7 +1,8 @@
|
||||
name: "build"
|
||||
on: [push, pull_request]
|
||||
env:
|
||||
TRIVY_VERSION: 0.29.2
|
||||
TRIVY_VERSION: 0.34.0
|
||||
BATS_LIB_PATH: '/usr/lib/'
|
||||
jobs:
|
||||
build:
|
||||
name: build
|
||||
@@ -11,7 +12,7 @@ jobs:
|
||||
- name: Setup BATS
|
||||
uses: mig4/setup-bats@v1
|
||||
with:
|
||||
bats-version: 1.2.1
|
||||
bats-version: 1.7.0
|
||||
|
||||
- name: Setup Bats libs
|
||||
uses: brokenpip3/setup-bats-libs@0.1.0
|
||||
@@ -24,10 +25,4 @@ jobs:
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
|
||||
|
||||
- name: Test
|
||||
run: bats --recursive --timing .
|
||||
|
||||
- name: Debug show artifacts
|
||||
if: always()
|
||||
run: |
|
||||
cat ./config.test
|
||||
cat ./fs-scheck.test
|
||||
run: BATS_LIB_PATH=${{ env.BATS_LIB_PATH }} bats --recursive --timing .
|
||||
Vendored
+1
@@ -2,3 +2,4 @@
|
||||
*.test
|
||||
!test/data/*.test
|
||||
trivyignores
|
||||
.vscode/
|
||||
+2
-2
@@ -1,5 +1,5 @@
|
||||
FROM ghcr.io/aquasecurity/trivy:0.29.2
|
||||
FROM ghcr.io/aquasecurity/trivy:0.34.0
|
||||
COPY entrypoint.sh /
|
||||
RUN apk --no-cache add bash curl
|
||||
RUN apk --no-cache add bash curl npm
|
||||
RUN chmod +x /entrypoint.sh
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
||||
@@ -19,7 +19,7 @@
|
||||
|
||||
## Usage
|
||||
|
||||
### Workflow
|
||||
### Scan CI Pipeline
|
||||
|
||||
```yaml
|
||||
name: build
|
||||
@@ -31,15 +31,13 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -51,6 +49,49 @@ jobs:
|
||||
severity: 'CRITICAL,HIGH'
|
||||
```
|
||||
|
||||
### Scan CI Pipeline (w/ Trivy Config)
|
||||
|
||||
```yaml
|
||||
name: build
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
pull_request:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner in fs mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
trivy-config: trivy.yaml
|
||||
```
|
||||
|
||||
In this case `trivy.yaml` is a YAML configuration that is checked in as part of the repo. Detailed information is available on the Trivy website but an example is as follows:
|
||||
```yaml
|
||||
format: json
|
||||
exit-code: 1
|
||||
severity: CRITICAL
|
||||
```
|
||||
|
||||
It is possible to define all options in the `trivy.yaml` file. Specifying individual options via the action are left for backward compatibility purposes. Defining the following is required as they cannot be defined with the config file:
|
||||
- `scan-ref`: If using `fs, repo` scans.
|
||||
- `image-ref`: If using `image` scan.
|
||||
- `scan-type`: To define the scan type, e.g. `image`, `fs`, `repo`, etc.
|
||||
|
||||
#### Order of prerference for options
|
||||
Trivy uses [Viper](https://github.com/spf13/viper) which has a defined precedence order for options. The order is as follows:
|
||||
- GitHub Action flag
|
||||
- Environment variable
|
||||
- Config file
|
||||
- Default
|
||||
|
||||
### Scanning a Tarball
|
||||
```yaml
|
||||
@@ -66,7 +107,7 @@ jobs:
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Generate tarball from image
|
||||
run: |
|
||||
@@ -92,10 +133,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
@@ -127,10 +168,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Build an image from Dockerfile
|
||||
run: |
|
||||
@@ -166,10 +207,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -200,10 +241,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner with rootfs command
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -235,17 +276,18 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner in IaC mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'config'
|
||||
hide-progress: false
|
||||
format: 'table'
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
exit-code: '1'
|
||||
ignore-unfixed: true
|
||||
severity: 'CRITICAL,HIGH'
|
||||
@@ -304,10 +346,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -340,10 +382,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -376,10 +418,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -409,10 +451,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
name: Build
|
||||
runs-on: ubuntu-18.04
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v2
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
|
||||
@@ -85,6 +85,9 @@ inputs:
|
||||
github-pat:
|
||||
description: 'GitHub Personal Access Token (PAT) for submitting SBOM to GitHub Dependency Snapshot API'
|
||||
required: false
|
||||
trivy-config:
|
||||
description: 'path to trivy.yaml config'
|
||||
required: false
|
||||
|
||||
runs:
|
||||
using: 'docker'
|
||||
@@ -111,3 +114,4 @@ runs:
|
||||
- '-s ${{ inputs.security-checks }}'
|
||||
- '-t ${{ inputs.trivyignores }}'
|
||||
- '-u ${{ inputs.github-pat }}'
|
||||
- '-v ${{ inputs.trivy-config }}'
|
||||
|
||||
+25
-8
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
|
||||
while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
|
||||
case "${o}" in
|
||||
a)
|
||||
export scanType=${OPTARG}
|
||||
@@ -65,9 +65,13 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:" o; do
|
||||
u)
|
||||
export githubPAT=${OPTARG}
|
||||
;;
|
||||
v)
|
||||
export trivyConfig=${OPTARG}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
scanType=$(echo $scanType | tr -d '\r')
|
||||
export artifactRef="${imageRef}"
|
||||
if [ "${scanType}" = "repo" ] || [ "${scanType}" = "fs" ] || [ "${scanType}" = "config" ] || [ "${scanType}" = "rootfs" ];then
|
||||
@@ -107,6 +111,7 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
|
||||
fi
|
||||
if [ $securityChecks ];then
|
||||
ARGS="$ARGS --security-checks $securityChecks"
|
||||
SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
|
||||
fi
|
||||
if [ $severity ];then
|
||||
ARGS="$ARGS --severity $severity"
|
||||
@@ -137,6 +142,7 @@ if [ $trivyIgnores ];then
|
||||
fi
|
||||
if [ $timeout ];then
|
||||
ARGS="$ARGS --timeout $timeout"
|
||||
SARIF_ARGS="$SARIF_ARGS --timeout $timeout"
|
||||
fi
|
||||
if [ $ignorePolicy ];then
|
||||
ARGS="$ARGS --ignore-policy $ignorePolicy"
|
||||
@@ -157,10 +163,17 @@ if [ "$skipFiles" ];then
|
||||
done
|
||||
fi
|
||||
|
||||
echo "Running trivy with options: ${ARGS}" "${artifactRef}"
|
||||
echo "Global options: " "${GLOBAL_ARGS}"
|
||||
trivy $GLOBAL_ARGS ${scanType} $ARGS ${artifactRef}
|
||||
returnCode=$?
|
||||
trivyConfig=$(echo $trivyConfig | tr -d '\r')
|
||||
if [ $trivyConfig ]; then
|
||||
echo "Running Trivy with trivy.yaml config from: " $trivyConfig
|
||||
trivy --config $trivyConfig ${scanType} ${artifactRef}
|
||||
returnCode=$?
|
||||
else
|
||||
echo "Running trivy with options: trivy ${scanType} ${ARGS}" "${artifactRef}"
|
||||
echo "Global options: " "${GLOBAL_ARGS}"
|
||||
trivy $GLOBAL_ARGS ${scanType} ${ARGS} ${artifactRef}
|
||||
returnCode=$?
|
||||
fi
|
||||
|
||||
# SARIF is special. We output all vulnerabilities,
|
||||
# regardless of severity level specified in this report.
|
||||
@@ -170,9 +183,13 @@ if [[ "${format}" == "sarif" ]]; then
|
||||
trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
|
||||
fi
|
||||
|
||||
if [[ "${format}" == "github" ]] && [[ "$(echo $githubPAT | xargs)" != "" ]]; then
|
||||
echo "Uploading GitHub Dependency Snapshot"
|
||||
curl -u "${githubPAT}" -H 'Content-Type: application/json' 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
|
||||
if [[ "${format}" == "github" ]]; then
|
||||
if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
|
||||
printf "\n Uploading GitHub Dependency Snapshot"
|
||||
curl -H 'Accept: application/vnd.github+json' -H "Authorization: token $githubPAT" 'https://api.github.com/repos/'$GITHUB_REPOSITORY'/dependency-graph/snapshots' -d @./$(echo $output | xargs)
|
||||
else
|
||||
printf "\n Failing GitHub Dependency Snapshot. Missing github-pat"
|
||||
fi
|
||||
fi
|
||||
|
||||
exit $returnCode
|
||||
|
||||
@@ -0,0 +1,80 @@
|
||||
{
|
||||
"version": "2.1.0",
|
||||
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
|
||||
"runs": [
|
||||
{
|
||||
"tool": {
|
||||
"driver": {
|
||||
"fullName": "Trivy Vulnerability Scanner",
|
||||
"informationUri": "https://github.com/aquasecurity/trivy",
|
||||
"name": "Trivy",
|
||||
"rules": [
|
||||
{
|
||||
"id": "DS002",
|
||||
"name": "Misconfiguration",
|
||||
"shortDescription": {
|
||||
"text": "Image user should not be \u0026#39;root\u0026#39;"
|
||||
},
|
||||
"fullDescription": {
|
||||
"text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
|
||||
},
|
||||
"defaultConfiguration": {
|
||||
"level": "error"
|
||||
},
|
||||
"helpUri": "https://avd.aquasec.com/misconfig/ds002",
|
||||
"help": {
|
||||
"text": "Misconfiguration DS002\nType: Dockerfile Security Check\nSeverity: HIGH\nCheck: Image user should not be 'root'\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
|
||||
"markdown": "**Misconfiguration DS002**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|HIGH|Image user should not be 'root'|Specify at least 1 USER command in Dockerfile with non-root user as argument|[DS002](https://avd.aquasec.com/misconfig/ds002)|\n\nRunning containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile."
|
||||
},
|
||||
"properties": {
|
||||
"precision": "very-high",
|
||||
"security-severity": "8.0",
|
||||
"tags": [
|
||||
"misconfiguration",
|
||||
"security",
|
||||
"HIGH"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"version": "0.34.0"
|
||||
}
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "DS002",
|
||||
"ruleIndex": 0,
|
||||
"level": "error",
|
||||
"message": {
|
||||
"text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS002\nSeverity: HIGH\nMessage: Specify at least 1 USER command in Dockerfile with non-root user as argument\nLink: [DS002](https://avd.aquasec.com/misconfig/ds002)"
|
||||
},
|
||||
"locations": [
|
||||
{
|
||||
"physicalLocation": {
|
||||
"artifactLocation": {
|
||||
"uri": "Dockerfile",
|
||||
"uriBaseId": "ROOTPATH"
|
||||
},
|
||||
"region": {
|
||||
"startLine": 1,
|
||||
"startColumn": 1,
|
||||
"endLine": 1,
|
||||
"endColumn": 1
|
||||
}
|
||||
},
|
||||
"message": {
|
||||
"text": "Dockerfile"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"columnKind": "utf16CodeUnits",
|
||||
"originalUriBaseIds": {
|
||||
"ROOTPATH": {
|
||||
"uri": "file:///"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -28,6 +28,7 @@
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS002",
|
||||
"AVDID": "AVD-DS-0002",
|
||||
"Title": "Image user should not be 'root'",
|
||||
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
|
||||
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
|
||||
|
||||
@@ -28,6 +28,7 @@
|
||||
{
|
||||
"Type": "Dockerfile Security Check",
|
||||
"ID": "DS002",
|
||||
"AVDID": "AVD-DS-0002",
|
||||
"Title": "Image user should not be 'root'",
|
||||
"Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
|
||||
"Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
|
||||
|
||||
+10
-3337
File diff suppressed because it is too large
Load Diff
@@ -1,10 +1,15 @@
|
||||
|
||||
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
|
||||
========================================
|
||||
Total: 19 (CRITICAL: 19)
|
||||
|
||||
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
|
||||
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2018-16839 │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -15,8 +20,8 @@
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -27,15 +32,15 @@
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-1353 │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -46,8 +51,8 @@
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -55,22 +60,30 @@
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
│ │ │ │ │ │ adjustment im ...... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
|
||||
├─────────────┤ │ │ │ │ │
|
||||
│ musl-utils │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
|
||||
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
|
||||
|
||||
rust-app/Cargo.lock (cargo)
|
||||
===========================
|
||||
Total: 2 (CRITICAL: 2)
|
||||
|
||||
┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
|
||||
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
|
||||
├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ smallvec │ CVE-2021-25900 │ CRITICAL │ 0.6.9 │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
|
||||
├──────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ smallvec │ CVE-2021-25900 │ │ 0.6.9 │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ │ │ │ │ │ and 1.x... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
|
||||
└──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
|
||||
|
||||
+31
-18
@@ -1,10 +1,15 @@
|
||||
|
||||
knqyf263/vuln-image:1.2.3 (alpine 3.7.1)
|
||||
========================================
|
||||
Total: 19 (CRITICAL: 19)
|
||||
|
||||
┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
|
||||
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2018-16839 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2018-16839 │ │ │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -15,8 +20,8 @@
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ curl │ CVE-2019-3822 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -27,15 +32,15 @@
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2018-17456 │ │ 2.15.2-r0 │ 2.15.3-r0 │ git: arbitrary code execution via .gitmodules │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-17456 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ git │ CVE-2019-1353 │ CRITICAL │ 2.15.2-r0 │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-1353 │ │ │ 2.15.4-r0 │ git: NTFS protections inactive when running Git in the │
|
||||
│ │ │ │ │ │ Windows Subsystem for... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libbz2 │ CVE-2019-12900 │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2018-16839 │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │
|
||||
│ │ │ │ │ │ in Curl_sasl_create_plain_message() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16839 │
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
@@ -46,8 +51,8 @@
|
||||
│ │ CVE-2018-16842 │ │ │ │ curl: Heap-based buffer over-read in the curl tool warning │
|
||||
│ │ │ │ │ │ formatting │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16842 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ libcurl │ CVE-2019-3822 │ CRITICAL │ 7.61.1-r0 │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-3822 │ │ │ 7.61.1-r2 │ curl: NTLMv2 type-3 header stack buffer overflow │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-3822 │
|
||||
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5481 │ │ │ 7.61.1-r3 │ curl: double free due to subsequent call of realloc() │
|
||||
@@ -55,22 +60,30 @@
|
||||
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2019-5482 │ │ │ │ curl: heap buffer overflow in function tftp_receive_packet() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-5482 │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ musl │ CVE-2019-14697 │ │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │
|
||||
│ │ │ │ │ │ adjustment im ...... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │
|
||||
├─────────────┤ │ │ │ │ │
|
||||
│ musl-utils │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
│ │ │ │ │ │ │
|
||||
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
├─────────────┼────────────────┤ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
|
||||
│ sqlite-libs │ CVE-2019-8457 │ │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
|
||||
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
|
||||
|
||||
rust-app/Cargo.lock (cargo)
|
||||
===========================
|
||||
Total: 5 (CRITICAL: 5)
|
||||
|
||||
┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
|
||||
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
|
||||
├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ rand_core │ CVE-2020-25576 │ CRITICAL │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │
|
||||
│ openssl │ CVE-2018-20997 │ CRITICAL │ 0.8.3 │ 0.10.9 │ Use after free in openssl │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20997 │
|
||||
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ rand_core │ CVE-2020-25576 │ │ 0.4.0 │ 0.3.1, 0.4.2 │ An issue was discovered in the rand_core crate before 0.4.2 │
|
||||
│ │ │ │ │ │ for Rust.... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-25576 │
|
||||
├───────────┼────────────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
@@ -82,7 +95,7 @@
|
||||
│ │ │ │ │ │ for Rust.... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-15554 │
|
||||
│ ├────────────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
|
||||
│ │ CVE-2021-25900 │ │ │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ │ CVE-2021-25900 │ │ │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
|
||||
│ │ │ │ │ │ and 1.x... │
|
||||
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25900 │
|
||||
└───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
|
||||
|
||||
+77
-5
@@ -1,5 +1,77 @@
|
||||
┌──────────┬──────────────────────────────┬──────────┬─────────┬─────────────────────────┐
|
||||
│ Category │ Description │ Severity │ Line No │ Match │
|
||||
├──────────┼──────────────────────────────┼──────────┼─────────┼─────────────────────────┤
|
||||
│ GitHub │ GitHub Personal Access Token │ CRITICAL │ 5 │ export GITHUB_PAT=***** │
|
||||
└──────────┴──────────────────────────────┴──────────┴─────────┴─────────────────────────┘
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "https://github.com/krol3/demo-trivy/",
|
||||
"ArtifactType": "repository",
|
||||
"Metadata": {
|
||||
"ImageConfig": {
|
||||
"architecture": "",
|
||||
"created": "0001-01-01T00:00:00Z",
|
||||
"os": "",
|
||||
"rootfs": {
|
||||
"type": "",
|
||||
"diff_ids": null
|
||||
},
|
||||
"config": {}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": "env",
|
||||
"Class": "secret",
|
||||
"Secrets": [
|
||||
{
|
||||
"RuleID": "github-pat",
|
||||
"Category": "GitHub",
|
||||
"Severity": "CRITICAL",
|
||||
"Title": "GitHub Personal Access Token",
|
||||
"StartLine": 5,
|
||||
"EndLine": 5,
|
||||
"Code": {
|
||||
"Lines": [
|
||||
{
|
||||
"Number": 3,
|
||||
"Content": "export AWS_ACCESS_KEY_ID=1234567",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "export AWS_ACCESS_KEY_ID=1234567",
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 4,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
},
|
||||
{
|
||||
"Number": 5,
|
||||
"Content": "export GITHUB_PAT=****************************************",
|
||||
"IsCause": true,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"Highlighted": "export GITHUB_PAT=****************************************",
|
||||
"FirstCause": true,
|
||||
"LastCause": true
|
||||
},
|
||||
{
|
||||
"Number": 6,
|
||||
"Content": "",
|
||||
"IsCause": false,
|
||||
"Annotation": "",
|
||||
"Truncated": false,
|
||||
"FirstCause": false,
|
||||
"LastCause": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"Match": "export GITHUB_PAT=****************************************",
|
||||
"Layer": {}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
format: json
|
||||
severity: CRITICAL
|
||||
vulnerability:
|
||||
type: os
|
||||
output: yamlconfig.test
|
||||
@@ -0,0 +1,105 @@
|
||||
{
|
||||
"SchemaVersion": 2,
|
||||
"ArtifactName": "alpine:3.10",
|
||||
"ArtifactType": "container_image",
|
||||
"Metadata": {
|
||||
"OS": {
|
||||
"Family": "alpine",
|
||||
"Name": "3.10.9",
|
||||
"EOSL": true
|
||||
},
|
||||
"ImageID": "sha256:e7b300aee9f9bf3433d32bc9305bfdd22183beb59d933b48d77ab56ba53a197a",
|
||||
"DiffIDs": [
|
||||
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
|
||||
],
|
||||
"RepoTags": [
|
||||
"alpine:3.10"
|
||||
],
|
||||
"RepoDigests": [
|
||||
"alpine@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98"
|
||||
],
|
||||
"ImageConfig": {
|
||||
"architecture": "amd64",
|
||||
"container": "fdb7e80e3339e8d0599282e606c907aa5881ee4c668a68136119e6dfac6ce3a4",
|
||||
"created": "2021-04-14T19:20:05.338397761Z",
|
||||
"docker_version": "19.03.12",
|
||||
"history": [
|
||||
{
|
||||
"created": "2021-04-14T19:20:04.987219124Z",
|
||||
"created_by": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / "
|
||||
},
|
||||
{
|
||||
"created": "2021-04-14T19:20:05.338397761Z",
|
||||
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
|
||||
"empty_layer": true
|
||||
}
|
||||
],
|
||||
"os": "linux",
|
||||
"rootfs": {
|
||||
"type": "layers",
|
||||
"diff_ids": [
|
||||
"sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
|
||||
]
|
||||
},
|
||||
"config": {
|
||||
"Cmd": [
|
||||
"/bin/sh"
|
||||
],
|
||||
"Env": [
|
||||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
],
|
||||
"Image": "sha256:eb2080c455e94c22ae35b3aef9e078c492a00795412e026e4d6b41ef64bc7dd8"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Results": [
|
||||
{
|
||||
"Target": "alpine:3.10 (alpine 3.10.9)",
|
||||
"Class": "os-pkgs",
|
||||
"Type": "alpine",
|
||||
"Vulnerabilities": [
|
||||
{
|
||||
"VulnerabilityID": "CVE-2021-36159",
|
||||
"PkgID": "apk-tools@2.10.6-r0",
|
||||
"PkgName": "apk-tools",
|
||||
"InstalledVersion": "2.10.6-r0",
|
||||
"FixedVersion": "2.10.7-r0",
|
||||
"Layer": {
|
||||
"Digest": "sha256:396c31837116ac290458afcb928f68b6cc1c7bdd6963fc72f52f365a2a89c1b5",
|
||||
"DiffID": "sha256:9fb3aa2f8b8023a4bebbf92aa567caf88e38e969ada9f0ac12643b2847391635"
|
||||
},
|
||||
"SeveritySource": "nvd",
|
||||
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-36159",
|
||||
"DataSource": {
|
||||
"ID": "alpine",
|
||||
"Name": "Alpine Secdb",
|
||||
"URL": "https://secdb.alpinelinux.org/"
|
||||
},
|
||||
"Description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
|
||||
"Severity": "CRITICAL",
|
||||
"CweIDs": [
|
||||
"CWE-125"
|
||||
],
|
||||
"CVSS": {
|
||||
"nvd": {
|
||||
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
|
||||
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
|
||||
"V2Score": 6.4,
|
||||
"V3Score": 9.1
|
||||
}
|
||||
},
|
||||
"References": [
|
||||
"https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch",
|
||||
"https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10749",
|
||||
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E",
|
||||
"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E",
|
||||
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E",
|
||||
"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
|
||||
],
|
||||
"PublishedDate": "2021-08-03T14:15:00Z",
|
||||
"LastModifiedDate": "2021-10-18T12:19:00Z"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
+49
-31
@@ -1,61 +1,71 @@
|
||||
#!/usr/bin/env bats
|
||||
load '/usr/lib/bats-support/load.bash'
|
||||
load '/usr/lib/bats-assert/load.bash'
|
||||
bats_load_library bats-support
|
||||
bats_load_library bats-assert
|
||||
bats_load_library bats-file
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
# trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
|
||||
run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
|
||||
run diff repo.test ./test/data/repo.test
|
||||
echo "$output"
|
||||
assert_files_equal repo.test ./test/data/repo.test
|
||||
}
|
||||
|
||||
@test "trivy image" {
|
||||
# trivy image --severity CRITICAL --output image.test knqyf263/vuln-image:1.2.3
|
||||
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
|
||||
result="$(diff ./test/data/image.test image.test)"
|
||||
[ "$result" == '' ]
|
||||
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image.test' '-g CRITICAL'
|
||||
run diff image.test ./test/data/image.test
|
||||
echo "$output"
|
||||
assert_files_equal image.test ./test/data/image.test
|
||||
}
|
||||
|
||||
@test "trivy image sarif report" {
|
||||
# trivy image --severity CRITICAL -f sarif --output image-sarif.test knqyf263/vuln-image:1.2.3
|
||||
./entrypoint.sh '-a image' '-b sarif' '-i knqyf263/vuln-image:1.2.3' '-h image-sarif.test' '-g CRITICAL'
|
||||
result="$(diff ./test/data/image-sarif.test image-sarif.test)"
|
||||
[ "$result" == '' ]
|
||||
@test "trivy config sarif report" {
|
||||
# trivy config --format sarif --output config-sarif.test .
|
||||
run ./entrypoint.sh '-a config' '-b sarif' '-h config-sarif.test' '-j .'
|
||||
run diff config-sarif.test ./test/data/config-sarif.test
|
||||
echo "$output"
|
||||
assert_files_equal config-sarif.test ./test/data/config-sarif.test
|
||||
}
|
||||
|
||||
@test "trivy config" {
|
||||
# trivy config --format json --output config.test .
|
||||
./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
|
||||
result="$(diff ./test/data/config.test config.test)"
|
||||
[ "$result" == '' ]
|
||||
run ./entrypoint.sh '-a config' '-b json' '-j .' '-h config.test'
|
||||
run diff config.test ./test/data/config.test
|
||||
echo "$output"
|
||||
assert_files_equal config.test ./test/data/config.test
|
||||
}
|
||||
|
||||
@test "trivy rootfs" {
|
||||
# trivy rootfs --output rootfs.test .
|
||||
./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
|
||||
result="$(diff ./test/data/rootfs.test rootfs.test)"
|
||||
[ "$result" == '' ]
|
||||
run ./entrypoint.sh '-a rootfs' '-j .' '-h rootfs.test'
|
||||
run diff rootfs.test ./test/data/rootfs.test
|
||||
echo "$output"
|
||||
assert_files_equal rootfs.test ./test/data/rootfs.test
|
||||
}
|
||||
|
||||
@test "trivy fs" {
|
||||
# trivy fs --output fs.test .
|
||||
./entrypoint.sh '-a fs' '-j .' '-h fs.test'
|
||||
result="$(diff ./test/data/fs.test fs.test)"
|
||||
[ "$result" == '' ]
|
||||
run ./entrypoint.sh '-a fs' '-j .' '-h fs.test'
|
||||
run diff fs.test ./test/data/fs.test
|
||||
echo "$output"
|
||||
assert_files_equal fs.test ./test/data/fs.test
|
||||
}
|
||||
|
||||
@test "trivy fs with securityChecks option" {
|
||||
# trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
|
||||
./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
|
||||
result="$(diff ./test/data/fs-scheck.test fs-scheck.test)"
|
||||
[ "$result" == '' ]
|
||||
run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
|
||||
run diff fs-scheck.test ./test/data/fs-scheck.test
|
||||
echo "$output"
|
||||
assert_files_equal fs-scheck.test ./test/data/fs-scheck.test
|
||||
}
|
||||
|
||||
@test "trivy repo with securityCheck secret only" {
|
||||
# trivy repo --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
|
||||
./entrypoint.sh '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
|
||||
result="$(diff ./test/data/repo.test repo.test)"
|
||||
[ "$result" == '' ]
|
||||
}
|
||||
|
||||
@test "trivy image with trivyIgnores option" {
|
||||
# cat ./test/data/.trivyignore1 ./test/data/.trivyignore2 > ./trivyignores ; trivy image --severity CRITICAL --output image-trivyignores.test --ignorefile ./trivyignores knqyf263/vuln-image:1.2.3
|
||||
./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
|
||||
result="$(diff ./test/data/image-trivyignores.test image-trivyignores.test)"
|
||||
[ "$result" == '' ]
|
||||
run ./entrypoint.sh '-a image' '-i knqyf263/vuln-image:1.2.3' '-h image-trivyignores.test' '-g CRITICAL' '-t ./test/data/.trivyignore1,./test/data/.trivyignore2'
|
||||
run diff image-trivyignores.test ./test/data/image-trivyignores.test
|
||||
echo "$output"
|
||||
assert_files_equal image-trivyignores.test ./test/data/image-trivyignores.test
|
||||
}
|
||||
|
||||
@test "trivy image with sbom output" {
|
||||
@@ -63,3 +73,11 @@ load '/usr/lib/bats-assert/load.bash'
|
||||
run ./entrypoint.sh "-a image" "-b github" "-i knqyf263/vuln-image:1.2.3"
|
||||
assert_output --partial '"package_url": "pkg:apk/ca-certificates@20171114-r0",' # TODO: Output contains time, need to mock
|
||||
}
|
||||
|
||||
@test "trivy image with trivy.yaml config" {
|
||||
# trivy --config=./test/data/trivy.yaml image alpine:3.10
|
||||
run ./entrypoint.sh "-v ./test/data/trivy.yaml" "-a image" "-i alpine:3.10"
|
||||
run diff yamlconfig.test ./test/data/yamlconfig.test
|
||||
echo "$output"
|
||||
assert_files_equal yamlconfig.test ./test/data/yamlconfig.test
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user