Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vulnerabilities not matched for node:12.22-buster image #1699

Open
majewsky opened this issue Mar 10, 2023 · 0 comments
Open

vulnerabilities not matched for node:12.22-buster image #1699

majewsky opened this issue Mar 10, 2023 · 0 comments

Comments

@majewsky
Copy link

Expected Outcome

When scanning the node:12.22-buster image from Docker Hub (specifically, the x86_64 component with digest sha256:280dbc1adbdac7d29d886f30bc1d09b6dfd77f37f550a127307c2f8895811313) in my Clair 4.6.0 instance, I expect to see several vulnerabilities. A colleague executed Clair 4.6.0 locally via docker-compose and got more than 100 vulns (see clairctl output here). Excerpt:

...
node:12.22-buster found libncursesw6                 6.1+20181013-2+deb10u2       CVE-2021-39537 ncurses        (fixed: 0:0)
node:12.22-buster found libncursesw6                 6.1+20181013-2+deb10u2       CVE-2022-29458 ncurses        (fixed: 0:6.1+20181013-2+deb10u3)
...

Actual Outcome

No vulnerabilities are found. This gist contains the vulnerability report for the image as well as the Clair config file (with secrets redacted, obviously).

As can be seen from the vulnerability report, the indexer seems to work fine. For example, libncursesw is correctly detected as being at version 6.1+20181013-2+deb10u2. The updater seems to work fine, too: Both expected vulnerabilities for this specific package show up in the DB (see snippet below). But the matcher seems to be unable to associate these two facts.

I feel like there is just a misconfiguration here, hence why I included my config in the gist above for reference. But if there is a misconfiguration, I absolutely can't see it.

clair=# SELECT * FROM vuln WHERE package_name = 'libncursesw6' AND name ~ 'CVE-202(2-29458|1-39537)' AND dist_version_code_name = 'buster';
-[ RECORD 1 ]----------+---------------------------------------------------------------------------------------------------------------------------------------------------------
id                     | 1682291
hash_kind              | md5
hash                   | \x99fecc2101b46d23285170d3ee3c17b4
updater                | debian/updater/buster
name                   | CVE-2021-39537 ncurses
description            | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.
issued                 | 0001-01-01 00:00:00+00
links                  | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39537
severity               |
normalized_severity    | Unknown
package_name           | libncursesw6
package_version        |
package_module         |
package_arch           |
package_kind           | binary
dist_id                | debian
dist_name              | Debian GNU/Linux
dist_version           | 10 (buster)
dist_version_code_name | buster
dist_version_id        | 10
dist_arch              |
dist_cpe               |
dist_pretty_name       | Debian GNU/Linux 10 (buster)
repo_name              |
repo_key               |
repo_uri               |
fixed_in_version       | 0:0
arch_operation         | invalid
vulnerable_range       | empty
version_kind           |
-[ RECORD 2 ]----------+---------------------------------------------------------------------------------------------------------------------------------------------------------
id                     | 1711088
hash_kind              | md5
hash                   | \xdc40306998d0f4a3482cdd107a27aa45
updater                | debian/updater/buster
name                   | CVE-2022-29458 ncurses
description            | ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.
issued                 | 0001-01-01 00:00:00+00
links                  | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458
severity               |
normalized_severity    | Unknown
package_name           | libncursesw6
package_version        |
package_module         |
package_arch           |
package_kind           | binary
dist_id                | debian
dist_name              | Debian GNU/Linux
dist_version           | 10 (buster)
dist_version_code_name | buster
dist_version_id        | 10
dist_arch              |
dist_cpe               |
dist_pretty_name       | Debian GNU/Linux 10 (buster)
repo_name              |
repo_key               |
repo_uri               |
fixed_in_version       | 0:6.1+20181013-2+deb10u3
arch_operation         | invalid
vulnerable_range       | empty
version_kind           |

Environment

  • Clair version/image: 4.6.0
  • Clair client name/version: curl, mostly (clairctl output from 4.6.0)
  • Host OS: RHEL 8.7 container on Flatcar 3374.2.4
  • Kernel (e.g. uname -a): Linux clair-indexer-64cd54fcb7-9dbzz 5.15.89-flatcar #1 SMP Wed Feb 15 18:00:42 -00 2023 x86_64 x86_64 x86_64 GNU/Linux
  • Kubernetes version (use kubectl version): 1.25.6
  • Network/Firewall setup: not relevant
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant