Scan shows vulnerable if some patched packages are installed from PPA
Opened this issue · 1 comments
Hi,
Firstly, thank you for your work :)
I work on the Canonical Public Cloud team and our partner GKE and their customers are starting to use cvescan to scan for vulnerabilities.
The GKE images we provide to GKE have certain packages installed from a PPA eg. https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s
This PPA has containerd, runc and docker.io and all are up to date and patched... but when scanning the attached manifest cvescan flags the packages as being vulnerable to CVE-2020-15157
$ cvescan -p all --manifest=ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt | grep "docker\.io\|containerd"
CVE-2020-15157 medium docker.io 19.03.6-0ubuntu1~18.04.2 Ubuntu Archive
CVE-2020-15257 medium containerd 1.3.3-0ubuntu1~18.04.4 Ubuntu Archive
I can confirm that the versions installed are not vulnerable to CVE-2020-15157.
sudo apt install apt-listchanges
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb
apt-listchanges --verbose --frontend text --all ./docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb > docker.io.changelog
apt-listchanges --verbose --frontend text --all ./containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb > containerd.changelog
less docker.io.changelog
less containerd.changelog
In the changelog you can see that patches have been applied for CVE-2020-15157.
Is there any way to add support for cvescan to support being able to mark certain package versions from a PPA as being no longer vulnerable to a specific CVE eg. appending to the database used when scanning?
The PPAs GKE and their customers use are all public.
Another reason for adding support for this is when the Ubuntu releases transition to ESM which uses a PPA.