Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use additional skip-files arg in scan job understood by Trivy #860

Merged
merged 2 commits into from
Mar 18, 2024
Merged

fix: use additional skip-files arg in scan job understood by Trivy #860

merged 2 commits into from
Mar 18, 2024

Conversation

erikgb
Copy link
Member

@erikgb erikgb commented Mar 17, 2024

It seems like Trivy somehow strips off the first part of the path when walking the filesystem, which makes the skip-files argument added in #850 non-effective. This PR is a workaround that sets the argument to a value making it effective.

To debug this, I created a long-running workload configured as our scan jobs.Without this fix, the vulnerabilities present in the trivy binary is reported. Note the path presented in the report!

run/image-scanner/trivy (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │ MEDIUM   │ fixed    │ v1.32.0           │ 1.33.0        │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                            │                │          │          │                   │               │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                            │                │          │          │                   │               │ certain forms of...                                          │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
├────────────────────────────┼────────────────┼──────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3            │ CVE-2024-26147 │ HIGH     │          │ v3.14.0           │ 3.14.2        │ helm: Missing YAML Content Leads To Panic                    │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26147                   │
│                            ├────────────────┼──────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2019-25210 │ MEDIUM   │ affected │                   │               │ helm: shows secrets with --dry-run option in clear text      │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-25210                   │
│                            ├────────────────┤          ├──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-25620 │          │ fixed    │                   │ 3.14.1        │ helm: Dependency management path traversal                   │
│                            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-25620                   │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@erikgb erikgb requested a review from a team as a code owner March 17, 2024 10:23
@tenstad tenstad changed the title fix: use skip-files arg in scan jobb understood by Trivy fix: use skip-files arg in scan job understood by Trivy Mar 18, 2024
tenstad
tenstad previously approved these changes Mar 18, 2024
View reviewed changes
@erikgb erikgb changed the title fix: use skip-files arg in scan job understood by Trivy fix: use additional skip-files arg in scan job understood by Trivy Mar 18, 2024
@erikgb erikgb requested a review from tenstad March 18, 2024 08:54
@erikgb erikgb enabled auto-merge (squash) March 18, 2024 08:54
@erikgb erikgb merged commit a33f4a6 into statnett:main Mar 18, 2024
11 checks passed
@statnett-bot statnett-bot bot mentioned this pull request Mar 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tenstad tenstad tenstad approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erikgb @tenstad