Closed
Description
Hi,
We are you using a custom build eKuiper with custom plugins. And our compliance check fails on the security scan. I checked the dockerhub image also.
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image \
--severity HIGH,CRITICAL \
--exit-code 1 \
lfedge/ekuiper:v2.2.0-alpineResult:
Unable to find image 'aquasec/trivy:latest' locally
latest: Pulling from aquasec/trivy
f18232174bc9: Already exists
6d7f55f07e66: Pull complete
9043f79a2405: Pull complete
0eb2a4b873d1: Pull complete
Digest: sha256:a8ca29078522f30393bdb34225e4c0994d38f37083be81a42da3a2a7e1488e9e
Status: Downloaded newer image for aquasec/trivy:latest
2025-07-09T11:06:09Z INFO [vulndb] Need to update DB
2025-07-09T11:06:09Z INFO [vulndb] Downloading vulnerability DB...
2025-07-09T11:06:09Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
4.20 MiB / 66.41 MiB [--->___________________________________________________________] 6.33% ? p/s ?18.75 MiB / 66.41 MiB [----------------->___________________________________________] 28.23% ? p/s ?34.37 MiB / 66.41 MiB [------------------------------->_____________________________] 51.76% ? p/s ?49.45 MiB / 66.41 MiB [----------------------------------->____________] 74.47% 75.22 MiB p/s ETA 0s64.77 MiB / 66.41 MiB [---------------------------------------------->_] 97.53% 75.22 MiB p/s ETA 0s66.41 MiB / 66.41 MiB [---------------------------------------------->] 100.00% 75.22 MiB p/s ETA 0s66.41 MiB / 66.41 MiB [---------------------------------------------->] 100.00% 72.19 MiB p/s ETA 0s66.41 MiB / 66.41 MiB [---------------------------------------------->] 100.00% 72.19 MiB p/s ETA 0s66.41 MiB / 66.41 MiB [---------------------------------------------->] 100.00% 72.19 MiB p/s ETA 0s66.41 MiB / 66.41 MiB [---------------------------------------------->] 100.00% 67.53 MiB p/s ETA 0s66.41 MiB / 66.41 MiB [---------------------------------------------->] 100.00% 67.53 MiB p/s ETA 0s66.41 MiB / 66.41 MiB [-------------------------------------------------] 100.00% 32.97 MiB p/s 2.2s2025-07-09T11:06:12Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-07-09T11:06:12Z INFO [vuln] Vulnerability scanning is enabled
2025-07-09T11:06:12Z INFO [secret] Secret scanning is enabled
2025-07-09T11:06:12Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-07-09T11:06:12Z INFO [secret] Please see also https://trivy.dev/v0.64/docs/scanner/secret#recommendation for faster secret detection
2025-07-09T11:06:16Z INFO Detected OS family="alpine" version="3.20.0"
2025-07-09T11:06:16Z INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=14
2025-07-09T11:06:16Z INFO Number of language-specific files num=2
2025-07-09T11:06:16Z INFO [gobinary] Detecting vulnerabilities...
2025-07-09T11:06:16Z WARN Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.64/docs/scanner/vulnerability#severity-selection for details.
Report Summary
┌──────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ lfedge/ekuiper:v2.2.0-alpine (alpine 3.20.0) │ alpine │ 4 │ - │
├──────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ kuiper/bin/kuiper │ gobinary │ 2 │ - │
├──────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ kuiper/bin/kuiperd │ gobinary │ 2 │ - │
├──────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ /kuiper/etc/mgmt/sample_key │ text │ - │ 1 │
└──────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
lfedge/ekuiper:v2.2.0-alpine (alpine 3.20.0)
============================================
Total: 4 (HIGH: 4, CRITICAL: 0)
┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-12797 │ HIGH │ fixed │ 3.3.0-r2 │ 3.3.3-r0 │ openssl: RFC7250 handshakes with unauthenticated servers │
│ │ │ │ │ │ │ don't abort as expected │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12797 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────┤
│ │ CVE-2024-6119 │ │ │ │ 3.3.2-r0 │ openssl: Possible denial of service in X.509 name checks │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-6119 │
├────────────┼────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2024-12797 │ │ │ │ 3.3.3-r0 │ openssl: RFC7250 handshakes with unauthenticated servers │
│ │ │ │ │ │ │ don't abort as expected │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12797 │
│ ├────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────┤
│ │ CVE-2024-6119 │ │ │ │ 3.3.2-r0 │ openssl: Possible denial of service in X.509 name checks │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-6119 │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
kuiper/bin/kuiper (gobinary)
============================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌───────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ github.com/gorilla/schema │ CVE-2024-37298 │ HIGH │ fixed │ v1.3.0 │ 1.4.1 │ gorilla/schema: Potential memory exhaustion attack due to │
│ │ │ │ │ │ │ sparse slice deserialization │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-37298 │
├───────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22874 │ │ │ v1.24.1 │ 1.24.4 │ crypto/x509: Usage of ExtKeyUsageAny disables policy │
│ │ │ │ │ │ │ validation in crypto/x509 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22874 │
└───────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
kuiper/bin/kuiperd (gobinary)
=============================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌───────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ github.com/gorilla/schema │ CVE-2024-37298 │ HIGH │ fixed │ v1.3.0 │ 1.4.1 │ gorilla/schema: Potential memory exhaustion attack due to │
│ │ │ │ │ │ │ sparse slice deserialization │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-37298 │
├───────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22874 │ │ │ v1.24.1 │ 1.24.4 │ crypto/x509: Usage of ExtKeyUsageAny disables policy │
│ │ │ │ │ │ │ validation in crypto/x509 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22874 │
└───────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
/kuiper/etc/mgmt/sample_key (secrets)
=====================================
Total: 1 (HIGH: 1, CRITICAL: 0)
HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
/kuiper/etc/mgmt/sample_key:1 (added by 'COPY --chown=kuiper:kuiper /go/kuiper/_b')
────────────────────────────────────────
1 [ ----BEGIN RSA PRIVATE KEY-----******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE
────────────────────────────────────────Thank you for your hard work.
Environment:
- eKuiper version (e.g.
1.3.0): v2.2.0-alpine
Metadata
Metadata
Assignees
Labels
No labels