-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add container security audit? #6
Comments
Sounds good. I've typically named workflows of this shape into an "audit" GitHub Actions workflow so it can be set to run periodically as well as on PRs + master pushes. See https://github.com/artichoke/artichoke/blob/6648914ecc5687b9b8187b0f06b19d4fa749f462/.github/workflows/audit.yaml for an example |
@lopopolo Shouldn't we make it a part of the image workflow though? I'm thinking of the scenario if we have a critical vulnerability in the image - we would want to gate the push in that case, no? Or are you thinking of something else here? |
Oh I see. Isn't it likely that many past nightly builds will also be vulnerable to the same defects? What value is there in blocking nightlies only once a vuln has been discovered? |
There is, of course, a scenario where there would be a vulnerability that affects all the images in the past, but I think there's value in not letting out nightlies if we managed to introduce one (e.g. building on a new target that ends up insecure, adding a runtime dep that's insecure, etc.) Or do you think the benefit is marginal? (which is fair) |
Oh I see. Gating builds on detected vulns is kinda like being a good citizen and not spewing out more vulnerable software. In that case, this seems like a good build step to add 🙂 |
I took a peek at this, and it looks like this is not practical to run in CI. This is the results of running $ trivy image artichokeruby/artichoke
2021-10-02T10:31:59.203-0700 INFO Detected OS: ubuntu
2021-10-02T10:31:59.203-0700 INFO Detecting Ubuntu vulnerabilities...
2021-10-02T10:31:59.204-0700 INFO Number of language-specific files: 0
artichokeruby/artichoke (ubuntu 20.04)
======================================
Total: 22 (UNKNOWN: 0, LOW: 22, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
| bash | CVE-2019-18276 | LOW | 5.0-6ubuntu1.1 | | bash: when effective UID is not |
| | | | | | equal to its real UID the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-18276 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| coreutils | CVE-2016-2781 | | 8.30-3ubuntu2 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| libc-bin | CVE-2016-10228 | | 2.31-0ubuntu9.2 | | glibc: iconv program can hang |
| | | | | | when invoked with the -c option |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-25013 | | | | glibc: buffer over-read in |
| | | | | | iconv when processing invalid |
| | | | | | multi-byte input sequences in... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-27618 | | | | glibc: iconv when processing |
| | | | | | invalid multi-byte input |
| | | | | | sequences fails to advance the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-29562 | | | | glibc: assertion failure in iconv |
| | | | | | when converting invalid UCS4 |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29562 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-6096 | | | | glibc: signed comparison |
| | | | | | vulnerability in the |
| | | | | | ARMv7 memcpy function |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-27645 | | | | glibc: Use-after-free in |
| | | | | | addgetnetgrentX function |
| | | | | | in netgroupcache.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-3326 | | | | glibc: Assertion failure in |
| | | | | | ISO-2022-JP-3 gconv module |
| | | | | | related to combining characters |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 |
+------------+------------------+ + +---------------+-----------------------------------------+
| libc6 | CVE-2016-10228 | | | | glibc: iconv program can hang |
| | | | | | when invoked with the -c option |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-25013 | | | | glibc: buffer over-read in |
| | | | | | iconv when processing invalid |
| | | | | | multi-byte input sequences in... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-27618 | | | | glibc: iconv when processing |
| | | | | | invalid multi-byte input |
| | | | | | sequences fails to advance the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-29562 | | | | glibc: assertion failure in iconv |
| | | | | | when converting invalid UCS4 |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29562 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-6096 | | | | glibc: signed comparison |
| | | | | | vulnerability in the |
| | | | | | ARMv7 memcpy function |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-27645 | | | | glibc: Use-after-free in |
| | | | | | addgetnetgrentX function |
| | | | | | in netgroupcache.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-3326 | | | | glibc: Assertion failure in |
| | | | | | ISO-2022-JP-3 gconv module |
| | | | | | related to combining characters |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| libpcre3 | CVE-2017-11164 | | 2:8.39-12build1 | | pcre: OP_KETRMAX feature in the |
| | | | | | match function in pcre_exec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-11164 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-20838 | | | | pcre: buffer over-read in |
| | | | | | JIT when UTF is disabled |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20838 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-14155 | | | | pcre: integer overflow in libpcre |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-14155 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| libtasn1-6 | CVE-2018-1000654 | | 4.16.0-2 | | libtasn1: Infinite loop in |
| | | | | | _asn1_expand_object_id(ptree) |
| | | | | | leads to memory exhaustion |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+------------+------------------+ +--------------------------+---------------+-----------------------------------------+
| login | CVE-2013-4235 | | 1:4.8.1-1ubuntu5.20.04.1 | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 |
+------------+ + + +---------------+ +
| passwd | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
$ trivy image artichokeruby/artichoke:alpine-nightly
2021-10-02T10:32:43.308-0700 INFO Detected OS: alpine
2021-10-02T10:32:43.308-0700 INFO Detecting Alpine vulnerabilities...
2021-10-02T10:32:43.309-0700 INFO Number of language-specific files: 0
artichokeruby/artichoke:alpine-nightly (alpine 3.14.2)
======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
$ trivy image artichokeruby/artichoke:slim-nightly
2021-10-02T10:32:51.869-0700 INFO Detected OS: debian
2021-10-02T10:32:51.870-0700 INFO Detecting Debian vulnerabilities...
2021-10-02T10:32:51.880-0700 INFO Number of language-specific files: 0
artichokeruby/artichoke:slim-nightly (debian 11.0)
==================================================
Total: 65 (UNKNOWN: 0, LOW: 12, MEDIUM: 27, HIGH: 22, CRITICAL: 4)
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| coreutils | CVE-2016-2781 | MEDIUM | 8.32-4 | | coreutils: Non-privileged |
| | | | | | session can escape to the |
| | | | | | parent session in chroot |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-18018 | | | | coreutils: race condition |
| | | | | | vulnerability in chown and chgrp |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libapt-pkg6.0 | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libc-bin | CVE-2019-1010022 | CRITICAL | 2.31-13 | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-33574 | | | | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20796 | HIGH | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2010-4051 | MEDIUM | | | CVE-2010-4052 glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4051 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
| | | | | | glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4052 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4756 | | | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libc6 | CVE-2019-1010022 | CRITICAL | | | glibc: stack guard protection bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-33574 | | | | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20796 | HIGH | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF |
| | | | | | leads to code execution because of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9192 | | | | glibc: uncontrolled recursion in |
| | | | | | function check_dst_limits_calc_pos_1 |
| | | | | | in posix/regexec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2010-4051 | MEDIUM | | | CVE-2010-4052 glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4051 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 |
| | | | | | glibc: De-recursivise |
| | | | | | regular expression engine |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4052 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-4756 | | | | glibc: glob implementation |
| | | | | | can cause excessive CPU and |
| | | | | | memory consumption due to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010024 | | | | glibc: ASLR bypass using |
| | | | | | cache of thread stack and heap |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-1010025 | | | | glibc: information disclosure of heap |
| | | | | | addresses of pthread_created thread |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libgcrypt20 | CVE-2018-6829 | HIGH | 1.8.7-6 | | libgcrypt: ElGamal implementation |
| | | | | | doesn't have semantic security due |
| | | | | | to incorrectly encoded plaintexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-6829 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-40528 | MEDIUM | | | libgcrypt: ElGamal implementation |
| | | | | | allows plaintext recovery |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libgnutls30 | CVE-2011-3389 | | 3.7.1-5 | | HTTPS: block-wise chosen-plaintext |
| | | | | | attack against SSL/TLS (BEAST) |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3389 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libgssapi-krb5-2 | CVE-2018-5709 | HIGH | 1.18.3-6 | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libk5crypto3 | CVE-2018-5709 | HIGH | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libkrb5-3 | CVE-2018-5709 | HIGH | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+ +---------------+-----------------------------------------+
| libkrb5support0 | CVE-2018-5709 | HIGH | | | krb5: integer overflow |
| | | | | | in dbentry->n_key_data |
| | | | | | in kadmin/dbutil/dump.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5709 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2021-37750 | MEDIUM | | | krb5: NULL pointer dereference |
| | | | | | in process_tgs_req() in |
| | | | | | kdc/do_tgs_req.c via a FAST inner... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37750 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2004-0971 | LOW | | | security flaw |
| | | | | | -->avd.aquasec.com/nvd/cve-2004-0971 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libpcre3 | CVE-2017-11164 | HIGH | 2:8.39-13 | | pcre: OP_KETRMAX feature in the |
| | | | | | match function in pcre_exec.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-11164 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-7245 | | | | pcre: stack-based buffer overflow |
| | | | | | write in pcre32_copy_substring |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7245 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-7246 | | | | pcre: stack-based buffer overflow |
| | | | | | write in pcre32_copy_substring |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7246 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-20838 | | | | pcre: buffer over-read in |
| | | | | | JIT when UTF is disabled |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20838 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2017-16231 | MEDIUM | | | pcre: self-recursive call |
| | | | | | in match() in pcre_exec.c |
| | | | | | leads to denial of service... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-16231 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libsepol1 | CVE-2021-36084 | LOW | 3.1-1 | | libsepol: use-after-free in |
| | | | | | __cil_verify_classperms() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36084 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-36085 | | | | libsepol: use-after-free in |
| | | | | | __cil_verify_classperms() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36085 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-36086 | | | | libsepol: use-after-free in |
| | | | | | cil_reset_classpermission() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36086 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-36087 | | | | libsepol: heap-based buffer |
| | | | | | overflow in ebitmap_match_any() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36087 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libssl1.1 | CVE-2007-6755 | MEDIUM | 1.1.1k-1+deb11u1 | | Dual_EC_DRBG: weak pseudo |
| | | | | | random number generator |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-6755 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2010-0928 | | | | openssl: RSA authentication weakness |
| | | | | | -->avd.aquasec.com/nvd/cve-2010-0928 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| libsystemd0 | CVE-2020-13529 | | 247.3-6 | | systemd: DHCP FORCERENEW |
| | | | | | authentication not implemented |
| | | | | | can cause a system running the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13529 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition |
| | | | | | when updating file permissions |
| | | | | | and SELinux security contexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4392 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libtinfo6 | CVE-2021-39537 | HIGH | 6.2+20201114-2 | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libudev1 | CVE-2020-13529 | MEDIUM | 247.3-6 | | systemd: DHCP FORCERENEW |
| | | | | | authentication not implemented |
| | | | | | can cause a system running the... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13529 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition |
| | | | | | when updating file permissions |
| | | | | | and SELinux security contexts... |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4392 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| login | CVE-2019-19882 | HIGH | 1:4.8.1-1 | | shadow-utils: local users can |
| | | | | | obtain root access because setuid |
| | | | | | programs are misconfigured... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2007-5686 | MEDIUM | | | initscripts in rPath Linux 1 |
| | | | | | sets insecure permissions for |
| | | | | | the /var/log/btmp file,... |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2013-4235 | | | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| ncurses-base | CVE-2021-39537 | HIGH | 6.2+20201114-2 | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+------------------+ + + +---------------+ +
| ncurses-bin | | | | | |
| | | | | | |
| | | | | | |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| passwd | CVE-2019-19882 | | 1:4.8.1-1 | | shadow-utils: local users can |
| | | | | | obtain root access because setuid |
| | | | | | programs are misconfigured... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2007-5686 | MEDIUM | | | initscripts in rPath Linux 1 |
| | | | | | sets insecure permissions for |
| | | | | | the /var/log/btmp file,... |
| | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2013-4235 | | | | shadow-utils: TOCTOU race |
| | | | | | conditions by copying and |
| | | | | | removing directory trees |
| | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| perl-base | CVE-2011-4116 | HIGH | 5.32.1-4+deb11u1 | | perl: File::Temp insecure |
| | | | | | temporary file handling |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-4116 |
+------------------+------------------+ +-------------------+---------------+-----------------------------------------+
| tar | CVE-2005-2541 | | 1.34+dfsg-1 | | tar: does not properly warn the user |
| | | | | | when extracting setuid or setgid... |
| | | | | | -->avd.aquasec.com/nvd/cve-2005-2541 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+ |
@lopopolo FWIW this is not about all vulnerabilities. Usually one sets CI to Thanks again for this awesome project ❤️ |
I'm thinking of adding a container security audit to the CI process, e.g.: https://github.com/aquasecurity/trivy
WDYT?
The text was updated successfully, but these errors were encountered: