Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metrics Not Grouping Properly When Some Reports Are Missing Package Path #2229

Open
LERUfic opened this issue Aug 15, 2024 · 1 comment
Open

Metrics Not Grouping Properly When Some Reports Are Missing Package Path #2229

LERUfic opened this issue Aug 15, 2024 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@LERUfic
Copy link

LERUfic commented Aug 15, 2024

What steps did you take and what happened:
In relation to this pull request concerning grouping, I discovered that some VulnerabilityReports lack a Package Path. For example, when I scanned external-dns/external-dns:v0.12.0, there were two instances of CVE-2022-2097—one for resource: libcrypto1.1

- class: os-pkgs
  cvss:
    ghsa:
      V3Score: 7.5
      V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    nvd:
      V2Score: 5
      V2Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
      V3Score: 5.3
      V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    redhat:
      V3Score: 5.3
      V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  description: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
    implementation will not encrypt the entirety of the data under some circumstances.
    This could reveal sixteen bytes of data that was preexisting in the memory that
    wasn't written. In the special case of "in place" encryption, sixteen bytes
    of the plaintext would be revealed. Since OpenSSL does not support OCB based
    cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5
    (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
  fixedVersion: 1.1.1q-r0
  installedVersion: 1.1.1n-r0
  lastModifiedDate: "2024-06-21T19:15:23Z"
  links: [...]
  packageType: alpine
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-2097
  publishedDate: "2022-07-05T11:15:08Z"
  resource: libcrypto1.1
  score: 5.3
  severity: MEDIUM
  target: k8s.gcr.io/external-dns/external-dns:v0.12.0 (alpine 3.15.4)
  title: 'openssl: AES OCB fails to encrypt some bytes'
  vulnerabilityID: CVE-2022-2097

and one for resource: libssl1.1

- class: os-pkgs
  cvss:
    ghsa:
      V3Score: 7.5
      V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    nvd:
      V2Score: 5
      V2Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
      V3Score: 5.3
      V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    redhat:
      V3Score: 5.3
      V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  description: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
    implementation will not encrypt the entirety of the data under some circumstances.
    This could reveal sixteen bytes of data that was preexisting in the memory that
    wasn't written. In the special case of "in place" encryption, sixteen bytes
    of the plaintext would be revealed. Since OpenSSL does not support OCB based
    cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5
    (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
  fixedVersion: 1.1.1q-r0
  installedVersion: 1.1.1n-r0
  lastModifiedDate: "2024-06-21T19:15:23Z"
  links: [..]
  packageType: alpine
  primaryLink: https://avd.aquasec.com/nvd/cve-2022-2097
  publishedDate: "2022-07-05T11:15:08Z"
  resource: libssl1.1
  score: 5.3
  severity: MEDIUM
  target: k8s.gcr.io/external-dns/external-dns:v0.12.0 (alpine 3.15.4)
  title: 'openssl: AES OCB fails to encrypt some bytes'
  vulnerabilityID: CVE-2022-2097

From the VulnerabilityReport, both of them lack a Package Path. I'm not sure, but it might be related to this comment.

	PkgPath          string               `json:",omitempty"` // This field is populated in the case of language-specific packages such as egg/wheel and gemspec

This is causing our metrics to be grouped into a single metric, even though they correspond to different resources.
Screenshot 2024-08-15 at 14 31 32

This also causes the metrics between trivy_image_vulnerabilities and trivy_vulnerability_id to not match up.
Screenshot 2024-08-15 at 14 34 05

What did you expect to happen:
I expect these two reports to be separate metrics, not grouped into a single metric, because they have different resource fields.

Anything else you would like to add:

maybe we can include vuln.Resource in vulnKey map

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.22.0
  • Kubernetes version (use kubectl version): v1.28.7-gke.1026001
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): linux/amd64 (on GKE)
  • I already add this line on my configmap
trivy.additionalVulnerabilityReportFields: 'Description,Links,CVSS,Target,Class,PackagePath,PackageType'
@LERUfic LERUfic added the kind/bug Categorizes issue or PR as related to a bug. label Aug 15, 2024
@kersten
Copy link
Contributor

kersten commented Aug 19, 2024

@LERUfic I think this may be already fixed and waits for new release. Do you might have the chance to check running this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kersten @LERUfic