trivy multiple false positives when scanning wildfly
Description
While scanning the latest Wildfly docker image using docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy jboss/wildfly@sha256:1f39dbbe874367e008c6d70fa687f1afec00a0304a53a8cf7d832b77221f6922 we encountered multiple false positives.
NOTE: We only took a look at the java libraries as the other problems are not Wildfly related
Scan result output regarding the java libraries: https://gist.github.com/AB-xdev/b089f02206596979dbe46523917f9a39
List of false positives:
CVE-2018-1048
Example:
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| io.undertow:undertow-core | CVE-2018-1048 | HIGH | 2.2.8.Final | | undertow: ALLOW_ENCODED_SLASH |
| | | | | | option not taken into account |
| | | | | | in the AjpRequestParser |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1048 |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+https://bugzilla.redhat.com/show_bug.cgi?id=1534343 says this is fixed (Status: CLOSED ERRATA) however no affected and fixed versions are specified.
CVE-2018-1067
Example:
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| io.undertow:undertow-core | CVE-2018-1067 | MEDIUM | 2.2.8.Final | 7.1.2 | undertow: HTTP header |
| | | | | | injection using CRLF with UTF-8 |
| | | | | | Encoding (incomplete fix of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1067 |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+Version 7.1.2 does not exist: https://mvnrepository.com/artifact/io.undertow/undertow-core
The latest version is 2.2.10.Final
CVE-2020-13947
Example:
+------------------------------------+------------------+----------+-------------------+-----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------------------------+------------------+----------+-------------------+-----------------+---------------------------------------+
| org.apache.activemq:artemis-server | CVE-2020-13947 | MEDIUM | 2.16.0 | 5.15.14, 5.16.1 | Cross-site Scripting |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13947 |
+------------------------------------+------------------+----------+-------------------+-----------------+---------------------------------------+Version 5.15.14, 5.16.1 does not exist: https://mvnrepository.com/artifact/org.apache.activemq/artemis-server
The latest version is 2.18.0
CVE-2020-25633
Example:
+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.jboss.resteasy:resteasy-client | CVE-2020-25633 | MEDIUM | 3.15.1.Final | 4.5.7.Final | resteasy-client: potential |
| | | | | | sensitive information leakage |
| | | | | | in JAX-RS RESTEasy Client's |
| | | | | | WebApplicationException handling |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-25633 |
+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+https://issues.redhat.com/browse/WFLY-13930 states that this was fixed in 3.14.0.Final and not only in 4.5.7.Final
CVE-2021-20289
Example:
+-----------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.jboss.resteasy:resteasy-jaxrs | CVE-2021-20289 | MEDIUM | 3.15.1.Final | | resteasy: Error message exposes |
| | | | | | endpoint class information |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-20289 |
+-----------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+The fixed version is missing or the wrong one (4.6.1.Alpha1). As stated in https://bugzilla.redhat.com/show_bug.cgi?id=1935927
Fixed In Version: resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final
What did you expect to happen?
No false positives.
What happened instead?
False positives.
Output of run with -debug:
Adding all the output in this issue blows it up... You can find it here: https://gist.github.com/AB-xdev/a813319037c6d6124b0d620e6aa6447c
Output of trivy -v:
docker run --rm aquasec/trivy -v
Version: 0.18.3
7 Answer:
Note: Above I used an outdated version because it was cached by docker. However the problem persists also on the latest version Version: 0.19.2
@AB-xdev I investigated cause and it turns out root issue is in Gitlab Advisory Database https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/io.undertow/undertow-core/CVE-2018-1067.yml. Please contact them for fixes
Created an issue by them: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/166
Thank you for the fast reply 😄
@AndreyLevchenko @knqyf263
https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/166#note_670003831
The corresponding advisory states (,3.14.0),[4.5.0,4.5.6] which does not include 3.15.1.Final. I just ran a quick check on a demo project to make sure that GitLab Dependency Scanning does not report this vulnerability for a project that includes resteasy-client 3.15.1.Final as a dependency. CVE-2020-25633 is not reported by GitLab Dependency Scanning (true negative). Hence, I assume the CVE-2020-25633 false positive could be caused by a version matching issue withing Trivy.
So when I read this correctly, something seems to be wrong here with Trivy.
GitLab also merged a PR that should fix the following false-reported CVEs: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/merge_requests/9082/diffs#01b7847e2fadaa2e7b394549044630ce464d3e6e
- CVE-2018-1048
- CVE-2018-1067
- CVE-2020-13947
- CVE-2021-20289
However these changes have currently no effect when re-scanning the affected image. Looks like I have to wait until the database gets updated...
@AB-xdev @knqyf263 I've raised an issue about CVE-2020-25633 https://github.community/t/reporting-an-issue-with-github-security-advisories-cve-2020-25633/200071 (I investigated issue and found that it's related to Github Advisory)
Update:
Re-scanned the image and...
- CVE-2018-1048 is not found anymore ✔️
- CVE-2018-1067 is not found anymore ✔️
- CVE-2020-13947 is not found anymore ✔️
- CVE-2021-20289 contains fixed versions ✔️
- CVE-2020-25633 shows up, but this is reported to GitHub as mentioned above
Thank you for the quick response and the fast solutions!
Read next
- trivy use a stable SARIF identifier
- FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key
- 0.20.0 Version Trivy PROTOCOL_ERROR
- trivy feat(iac): Add line information
- Trivy scan shows old version of jar
- Trivy detecting vulnerabilities in yarn devDependencies
- trivy false alert on CVE-2021-44228
- trivy scan private git repositories