Make sure vuln scanning works after image size reduction
thockin opened this issue · 1 comments
thockin commented
$ trivy image --ignore-unfixed gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc3
2023-07-25T09:16:50.603-0700 INFO Need to update DB
2023-07-25T09:16:50.603-0700 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-07-25T09:16:50.603-0700 INFO Downloading DB...
38.57 MiB / 38.57 MiB [----------------------------------------------------------------------------------------------------------------------] 100.00% 20.61 MiB p/s 2.1s
2023-07-25T09:16:53.360-0700 INFO Vulnerability scanning is enabled
2023-07-25T09:16:53.360-0700 INFO Secret scanning is enabled
2023-07-25T09:16:53.360-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-25T09:16:53.360-0700 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-07-25T09:16:57.527-0700 WARN Parse error {"file": "var/lib/dpkg/status.d/base-files.md5sums", "error": "malformed MIME header: missing colon: \"ea85a9fb8526e81b3ffe5dcdf209112e usr/lib/os-release\""}
2023-07-25T09:16:57.528-0700 WARN Parse error {"file": "var/lib/dpkg/status.d/libc6.md5sums", "error": "malformed MIME header: missing colon: \"ea5e870dc67319c18e6e0a4d0453cebf lib/x86_64-linux-gnu/ld-2.31.so\""}
2023-07-25T09:16:57.529-0700 WARN Parse error {"file": "var/lib/dpkg/status.d/libssl1.1.md5sums", "error": "malformed MIME header: missing colon: \"a5b015bb8bf323ec262bafcb1e04cb84 usr/lib/x86_64-linux-gnu/engines-1.1/afalg.so\""}
2023-07-25T09:16:57.529-0700 WARN Parse error {"file": "var/lib/dpkg/status.d/netbase.md5sums", "error": "malformed MIME header: missing colon: \"c899d832ee9a6de833fa22a41d55ce36 usr/share/doc/netbase/changelog.gz\""}
2023-07-25T09:16:57.530-0700 WARN Parse error {"file": "var/lib/dpkg/status.d/openssl.md5sums", "error": "malformed MIME header: missing colon: \"9aad94d235c505bcdfc7b583c2ea8f59 usr/bin/c_rehash\""}
2023-07-25T09:16:57.547-0700 INFO Detected OS: debian
2023-07-25T09:16:57.547-0700 INFO Detecting Debian vulnerabilities...
2023-07-25T09:16:57.558-0700 INFO Number of language-specific files: 1
2023-07-25T09:16:57.558-0700 INFO Detecting gobinary vulnerabilities...
gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc3 (debian 11.7)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
thockin commented
Example:
Trivy does not flag libcurl3-gnutls, but it should, I think:
$ docker run -ti --entrypoint "" gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1 cat /var/lib/dpkg/status.d/libcurl3-gnutls | head
Unable to find image 'gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1' locally
v4.0.0-rc1: Pulling from k8s-staging-git-sync/git-sync
Digest: sha256:7403b7e796f36d75aeb7754eedb1a68863d35aa6a6bde2b8ac2d805111d1c715
Status: Downloaded newer image for gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1
Package: libcurl3-gnutls
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 736
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Architecture: amd64
Multi-Arch: same
Source: curl
Version: 7.74.0-1.3+deb11u7
$ trivy image --ignore-unfixed gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1
2023-07-25T10:07:55.486-0700 INFO Vulnerability scanning is enabled
2023-07-25T10:07:55.486-0700 INFO Secret scanning is enabled
2023-07-25T10:07:55.486-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-25T10:07:55.486-0700 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-07-25T10:07:55.494-0700 INFO Detected OS: debian
2023-07-25T10:07:55.494-0700 INFO Detecting Debian vulnerabilities...
2023-07-25T10:07:55.503-0700 INFO Number of language-specific files: 1
2023-07-25T10:07:55.503-0700 INFO Detecting gobinary vulnerabilities...
gcr.io/k8s-staging-git-sync/git-sync:v4.0.0-rc1 (debian 11.7)
=============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
I need to find an example that is known vulnerable in rc3 to test the latest latest build scripts.