trivy: ignore unfixed CVEs

[arkodg]

The distroless/base-nossl image has a few LOW Severity CVEs that have not been fixed yet and is blocking the CI from passing

envoy-proxy/gateway-dev:f6bb7f8c73cff74c0f44410c5b73d37f2178e0cc (debian 12.8)
==============================================================================
Total: 7 (UNKNOWN: 0, LOW: 7, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬──────────────────┬──────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │  Vulnerability   │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                            │
├─────────┼──────────────────┼──────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2010-4756    │ LOW      │ affected │ 2.36-9+deb12u9    │               │ glibc: glob implementation can cause excessive CPU and      │
│         │                  │          │          │                   │               │ memory consumption due to...                                │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2010-4756                   │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2018-20796   │          │          │                   │               │ glibc: uncontrolled recursion in function                   │
│         │                  │          │          │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20796                  │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010022 │          │          │                   │               │ glibc: stack guard protection bypass                        │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010022                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010023 │          │          │                   │               │ glibc: running ldd on malicious ELF leads to code execution │
│         │                  │          │          │                   │               │ because of...                                               │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010023                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010024 │          │          │                   │               │ glibc: ASLR bypass using cache of thread stack and heap     │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010024                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-1010025 │          │          │                   │               │ glibc: information disclosure of heap addresses of          │
│         │                  │          │          │                   │               │ pthread_created thread                                      │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010025                │
│         ├──────────────────┤          │          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│         │ CVE-2019-9192    │          │          │                   │               │ glibc: uncontrolled recursion in function                   │
│         │                  │          │          │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│         │                  │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-9192                   │
└─────────┴──────────────────┴──────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

https://github.com/envoyproxy/gateway/actions/runs/12759297476/job/35562816116

Relates to #5034

[arkodg]

cc @zirain @shahar-h

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.89%. Comparing base (d1eafbc) to head (b8f9c32).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5060      +/-   ##
==========================================
- Coverage   66.91%   66.89%   -0.02%     
==========================================
  Files         210      210              
  Lines       32995    32995              
==========================================
- Hits        22079    22073       -6     
- Misses       9581     9584       +3     
- Partials     1335     1338       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zirain]

maybe this's why most of OSS project didn't use distroless/base-nossl as base?

[arkodg]

brought this up in the community meeting today and @guydc suggested ignoring these specific CVEs over setting this flag, will address this suggestion in a follow up commit

[shahar-h]

@arkodg @guydc just a thought:
What if instead of changing the base image to support running envoy binary inside eg container we'll provide an example with docker-compose that runs both eg and envoy containers?
Introducing new(and future) vulnerabilities to eg image just to support standalone deployment mode in eg container doesn't worth it IMHO.

[guydc]

Introducing new(and future) vulnerabilities to eg image just to support standalone deployment mode in eg container doesn't worth it IMHO.

In general, I do prefer that we use the minimal image required to run the primary binary in use.

If this particular image is already in use in the overall EG solution (e.g. used for the proxy image itself), then maintainers and consumers anyway have to deal with these vulnerabilities in some context. Of course, a vulnerability could have different impacts depending on the binary itself, so this still introduces additional risks and work.

I personally prefer to produce two images here, with the default being the minimal one required for the K8s runtime.

[shahar-h]

If this particular image is already in use in the overall EG solution (e.g. used for the proxy image itself), then maintainers and consumers anyway have to deal with these vulnerabilities in some context.

The thing is that envoy proxy image uses distroless/static as base image, not distroless/base-nossl.

[guydc]

The thing is that envoy proxy image uses distroless/static as base image, not distroless/base-nossl.

My bad. In that case, I'm +1 to reverting to the previous distroless image.

Standalone mode is:

• Experimental
• Documented as relying on host execution, not docker

I don't think that this justifies creating additional maintenance for EG contributors and end-users and increasing the attack surface of the GA offering.

I have no problem with producing an additional image for containerized standalone mode.

[arkodg]

the argument of increasing attack surface is NA for kubernetes because the added component (glibc) does not link to the envoy-gateway go binary

@shahar-h envoy-distroless is based of distroless-base-nossl https://github.com/envoyproxy/envoy/blob/020871ba10a301557191f5c4b1faa6671e1726ec/ci/Dockerfile-envoy#L62

[shahar-h]

the argument of increasing attack surface is NA for kubernetes because the added component (glibc) does not link to the envoy-gateway go binary

@shahar-h envoy-distroless is based of distroless-base-nossl https://github.com/envoyproxy/envoy/blob/020871ba10a301557191f5c4b1faa6671e1726ec/ci/Dockerfile-envoy#L62

You are right, docker dashboard mislead me:

[guydc]

great, so let's proceed with triaging.

[arkodg]

@guydc I was chatting with @phlax who also recommended setting ignore-unfixed for this

[guydc]

@guydc I was chatting with @phlax who also recommended setting ignore-unfixed for this

ok, let's go that way.