Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(redhat): Trivy doesn't skip vulnerability from CVE-ID if package version is not affected for RHSA-ID of this vulnerability #8061

Closed
DmitriyLewen opened this issue Dec 6, 2024 Discussed in #8059 · 0 comments · Fixed by #8063
Closed

bug(redhat): Trivy doesn't skip vulnerability from CVE-ID if package version is not affected for RHSA-ID of this vulnerability #8061

DmitriyLewen opened this issue Dec 6, 2024 Discussed in #8059 · 0 comments · Fixed by #8063
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning
Milestone
v0.58.1

Comments

@DmitriyLewen
Copy link
Contributor

Description

There are cases when both CVE-ID and RHSA-ID contain info about vulnerable package for same CPE.
e.g. CVE-2024-45491 and RHSA-2024:6989 (see 1714)
изображение
изображение

Trivy already has logic to avoid this issue:

trivy/pkg/detector/ospkg/redhat/redhat.go

Lines 147 to 155 in 983ac15

// unpatched vulnerabilities
if adv.FixedVersion == "" {
// Red Hat may contain several advisories for the same vulnerability (RHSA advisories).
// To avoid overwriting the fixed version by mistake, we should skip unpatched vulnerabilities if they were added earlier
if _, ok := uniqVulns[vulnID]; !ok {
uniqVulns[vulnID] = vuln
}
continue
}

But it doesn't work if pkg.Version > fixedVersion from RHSA.:

├─────────────────────────────┼──────────────────┼──────────┤                     ├───────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ expat                       │ CVE-2022-23990   │ MEDIUM   │                     │ 2.2.5-16.el8_10       │                 │ expat: integer overflow in the doProlog function             
│                             │                  │          │                     │                       │                 │ https://avd.aquasec.com/nvd/cve-2022-23990                   │
│                             ├──────────────────┤          │                     │                       ├─────────────────┼──────────────────────────────────────────────────────────────┤

Discussed in #8059
@DmitriyLewen DmitriyLewen added kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning labels Dec 6, 2024
@DmitriyLewen DmitriyLewen self-assigned this Dec 6, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Dec 6, 2024
Merged
6 tasks
@DmitriyLewen DmitriyLewen added this to the v0.58.1 milestone Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning
Projects
None yet
Milestone
v0.58.1
Development

Successfully merging a pull request may close this issue.

fix(redhat): correct rewriting of recommendations for the same vulnerability DmitriyLewen/trivy
1 participant
@DmitriyLewen