trivy multiple false positives when scanning wildfly

Description

While scanning the latest Wildfly docker image using docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy jboss/wildfly@sha256:1f39dbbe874367e008c6d70fa687f1afec00a0304a53a8cf7d832b77221f6922 we encountered multiple false positives.

NOTE: We only took a look at the java libraries as the other problems are not Wildfly related

Scan result output regarding the java libraries: https://gist.github.com/AB-xdev/b089f02206596979dbe46523917f9a39

List of false positives:

CVE-2018-1048

Example:

+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
|          LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| io.undertow:undertow-core | CVE-2018-1048    | HIGH     | 2.2.8.Final       |               | undertow: ALLOW_ENCODED_SLASH        |
|                           |                  |          |                   |               | option not taken into account        |
|                           |                  |          |                   |               | in the AjpRequestParser              |
|                           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-1048 |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+

https://bugzilla.redhat.com/show_bug.cgi?id=1534343 says this is fixed (Status: CLOSED ERRATA) however no affected and fixed versions are specified.

CVE-2018-1067

Example:

+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
|          LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| io.undertow:undertow-core | CVE-2018-1067    | MEDIUM   | 2.2.8.Final       | 7.1.2         | undertow: HTTP header                |
|                           |                  |          |                   |               | injection using CRLF with UTF-8      |
|                           |                  |          |                   |               | Encoding (incomplete fix of...       |
|                           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-1067 |
+---------------------------+------------------+----------+-------------------+---------------+--------------------------------------+

Version 7.1.2 does not exist: https://mvnrepository.com/artifact/io.undertow/undertow-core

The latest version is 2.2.10.Final

CVE-2020-13947

Example:

+------------------------------------+------------------+----------+-------------------+-----------------+---------------------------------------+
|              LIBRARY               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION  |                 TITLE                 |
+------------------------------------+------------------+----------+-------------------+-----------------+---------------------------------------+
| org.apache.activemq:artemis-server | CVE-2020-13947   | MEDIUM   | 2.16.0            | 5.15.14, 5.16.1 | Cross-site Scripting                  |
|                                    |                  |          |                   |                 | -->avd.aquasec.com/nvd/cve-2020-13947 |
+------------------------------------+------------------+----------+-------------------+-----------------+---------------------------------------+

Version 5.15.14, 5.16.1 does not exist: https://mvnrepository.com/artifact/org.apache.activemq/artemis-server

The latest version is 2.18.0

CVE-2020-25633

Example:

+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|              LIBRARY               | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.jboss.resteasy:resteasy-client | CVE-2020-25633   | MEDIUM   | 3.15.1.Final      | 4.5.7.Final   | resteasy-client: potential            |
|                                    |                  |          |                   |               | sensitive information leakage         |
|                                    |                  |          |                   |               | in JAX-RS RESTEasy Client's           |
|                                    |                  |          |                   |               | WebApplicationException handling      |
|                                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-25633 |
+------------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+

https://issues.redhat.com/browse/WFLY-13930 states that this was fixed in 3.14.0.Final and not only in 4.5.7.Final

CVE-2021-20289

Example:

+-----------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|              LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-----------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.jboss.resteasy:resteasy-jaxrs | CVE-2021-20289   | MEDIUM   | 3.15.1.Final      |               | resteasy: Error message exposes       |
|                                   |                  |          |                   |               | endpoint class information            |
|                                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-20289 |
+-----------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+

The fixed version is missing or the wrong one (4.6.1.Alpha1). As stated in https://bugzilla.redhat.com/show_bug.cgi?id=1935927

Fixed In Version: resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final

What did you expect to happen?

No false positives.

What happened instead?

False positives.

Output of run with -debug:

Adding all the output in this issue blows it up... You can find it here: https://gist.github.com/AB-xdev/a813319037c6d6124b0d620e6aa6447c

Output of trivy -v:

docker run --rm aquasec/trivy -v
Version: 0.18.3
Asked Jan 12 '22 13:01
avatar AB-xdev
AB-xdev

7 Answer:

Note: Above I used an outdated version because it was cached by docker. However the problem persists also on the latest version Version: 0.19.2

1
Answered Sep 01 '21 at 14:53
avatar  of AB-xdev
AB-xdev

@AB-xdev I investigated cause and it turns out root issue is in Gitlab Advisory Database https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/io.undertow/undertow-core/CVE-2018-1067.yml. Please contact them for fixes

1
Answered Sep 02 '21 at 07:35
avatar  of AndreyLevchenko
AndreyLevchenko

Created an issue by them: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/166

Thank you for the fast reply 😄

1
Answered Sep 02 '21 at 07:55
avatar  of AB-xdev
AB-xdev

@AndreyLevchenko @knqyf263

https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/166#note_670003831

The corresponding advisory states (,3.14.0),[4.5.0,4.5.6] which does not include 3.15.1.Final. I just ran a quick check on a demo project to make sure that GitLab Dependency Scanning does not report this vulnerability for a project that includes resteasy-client 3.15.1.Final as a dependency. CVE-2020-25633 is not reported by GitLab Dependency Scanning (true negative). Hence, I assume the CVE-2020-25633 false positive could be caused by a version matching issue withing Trivy.

So when I read this correctly, something seems to be wrong here with Trivy.

1
Answered Sep 06 '21 at 09:24
avatar  of AB-xdev
AB-xdev

GitLab also merged a PR that should fix the following false-reported CVEs: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/merge_requests/9082/diffs#01b7847e2fadaa2e7b394549044630ce464d3e6e

  • CVE-2018-1048
  • CVE-2018-1067
  • CVE-2020-13947
  • CVE-2021-20289

However these changes have currently no effect when re-scanning the affected image. Looks like I have to wait until the database gets updated...

1
Answered Sep 07 '21 at 06:54
avatar  of AB-xdev
AB-xdev

@AB-xdev @knqyf263 I've raised an issue about CVE-2020-25633 https://github.community/t/reporting-an-issue-with-github-security-advisories-cve-2020-25633/200071 (I investigated issue and found that it's related to Github Advisory)

1
Answered Sep 08 '21 at 07:58
avatar  of AndreyLevchenko
AndreyLevchenko

Update:

Re-scanned the image and...

  • CVE-2018-1048 is not found anymore ✔️
  • CVE-2018-1067 is not found anymore ✔️
  • CVE-2020-13947 is not found anymore ✔️
  • CVE-2021-20289 contains fixed versions ✔️
  • CVE-2020-25633 shows up, but this is reported to GitHub as mentioned above

Thank you for the quick response and the fast solutions!

1
Answered Sep 13 '21 at 09:19
avatar  of AB-xdev
AB-xdev