Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent vulnerabilities in container image scan vs container image's sbom scan #3649

Open
rams3sh opened this issue Feb 19, 2023 · 4 comments
Open

Inconsistent vulnerabilities in container image scan vs container image's sbom scan #3649

rams3sh opened this issue Feb 19, 2023 · 4 comments
Assignees
@masahiro331
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/vulnerability Issues relating to vulnerability scanning

Comments

@rams3sh
Copy link

rams3sh commented Feb 19, 2023

Description

I tried scanning container image 18fgsa/s3-resource:latest (a publicly available container image) with trivy and got total 93 unique (derived from CVE and package name only) findings.
I tried exporting the sbom file in spdx format of the same container image and scanned the sbom with trivy and got 66 unique (derived from CVE and package name only) findings.

There is inconsistency in both results.

I carried out the following commands to identify the difference.

cat container_scan.json | jq -r ".Results[] |.Vulnerabilities[] | [.VulnerabilityID, .PkgName] | @csv" | sort -u > cs_list
cat sbom_scan.json | jq -r ".Results[] |.Vulnerabilities[] | [.VulnerabilityID, .PkgName] | @csv" | sort -u > sbom_list
diff cs_list sbom_list

The output of the above diff command is given below :-

< "CVE-2021-4044","libcrypto1.1"
< "CVE-2021-4044","libssl1.1"
< "CVE-2021-4217","unzip"
48,49d44
< "CVE-2022-0529","unzip"
< "CVE-2022-0530","unzip"
53,58d47
< "CVE-2022-1343","libcrypto1.1"
< "CVE-2022-1343","libssl1.1"
< "CVE-2022-1434","libcrypto1.1"
< "CVE-2022-1434","libssl1.1"
< "CVE-2022-1473","libcrypto1.1"
< "CVE-2022-1473","libssl1.1"
68,71d56
< "CVE-2022-3358","libcrypto1.1"
< "CVE-2022-3358","libssl1.1"
< "CVE-2022-3602","libcrypto1.1"
< "CVE-2022-3602","libssl1.1"
73,78d57
< "CVE-2022-3786","libcrypto1.1"
< "CVE-2022-3786","libssl1.1"
< "CVE-2022-3996","libcrypto1.1"
< "CVE-2022-3996","libssl1.1"
< "CVE-2022-4203","libcrypto1.1"
< "CVE-2022-4203","libssl1.1"
85,88d63
< "CVE-2023-0216","libcrypto1.1"
< "CVE-2023-0216","libssl1.1"
< "CVE-2023-0217","libcrypto1.1"
< "CVE-2023-0217","libssl1.1"
91,92d65
< "CVE-2023-0401","libcrypto1.1"
< "CVE-2023-0401","libssl1.1"

I checked if these packages were part of the sbom file and noted that these packages were recorded as part of sbom file. However , trivy does not consider these packages / misses these packages due to some reason while checking against vulnerability database.

What did you expect to happen?

trivy should report same findings and same count of findings for a given vulnerability db update version for the same container image irrespective of target being sbom of the container image or the container image itself.

What happened instead?

trivy missed certain findings from sbom scan report.

Output of run with -debug:

 rams3sh@lab$ trivy image 18fgsa/s3-resource:latest -f json -o container_scan.json --debug
2023-02-19T11:44:32.886 0530	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-19T11:44:32.888 0530	DEBUG	cache dir:  /home/rams3sh/.cache
2023-02-19T11:44:32.888 0530	DEBUG	DB update was skipped because the local DB is the latest
2023-02-19T11:44:32.888 0530	DEBUG	DB Schema: 2, UpdatedAt: 2023-02-19 06:07:04.912156438  0000 UTC, NextUpdate: 2023-02-19 12:07:04.912156038  0000 UTC, DownloadedAt: 2023-02-19 06:10:26.693338148  0000 UTC
2023-02-19T11:44:32.888 0530	INFO	Vulnerability scanning is enabled
2023-02-19T11:44:32.888 0530	DEBUG	Vulnerability type:  [os library]
2023-02-19T11:44:32.888 0530	INFO	Secret scanning is enabled
2023-02-19T11:44:32.888 0530	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-02-19T11:44:32.888 0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-02-19T11:44:32.889 0530	DEBUG	No secret config detected: trivy-secret.yaml
2023-02-19T11:44:32.889 0530	DEBUG	Image ID: sha256:be2b798b1f014b40e0be22482a1695d6cf75ccc5cb3800227400f641b179882b
2023-02-19T11:44:32.889 0530	DEBUG	Diff IDs: [sha256:30d61bb737bb9be7178afce441d0ca5098909a59001a0301d3b50544e659ace1 sha256:839908cdca3a3dbaa6353d7db09fe02bb645753dce91f99df2c4adfcb0b940a2 sha256:79dbb8edbccc7f62667f2eb03043d56079a703ef3b4b5690b223b388fefda07b sha256:bca5e42517cec20628c862138ea188ef813064c96a639bf98d078b8742f6479f]
2023-02-19T11:44:32.889 0530	DEBUG	Base Layers: [sha256:30d61bb737bb9be7178afce441d0ca5098909a59001a0301d3b50544e659ace1]
2023-02-19T11:44:32.890 0530	INFO	Detected OS: alpine
2023-02-19T11:44:32.890 0530	INFO	Detecting Alpine vulnerabilities...
2023-02-19T11:44:32.890 0530	DEBUG	alpine: os version: 3.14
2023-02-19T11:44:32.890 0530	DEBUG	alpine: package repository: edge
2023-02-19T11:44:32.890 0530	DEBUG	alpine: the number of packages: 26
2023-02-19T11:44:32.892 0530	INFO	Number of language-specific files: 3
2023-02-19T11:44:32.892 0530	INFO	Detecting gobinary vulnerabilities...
2023-02-19T11:44:32.892 0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/resource/out
2023-02-19T11:44:32.892 0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/resource/check
2023-02-19T11:44:32.893 0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/resource/in

rams3sh@lab$ trivy image 18fgsa/s3-resource:latest -f spdx-json -o sbom.json --debug
2023-02-19T11:45:16.854 0530	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-02-19T11:45:16.854 0530	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-19T11:45:16.855 0530	INFO	"--format spdx" and "--format spdx-json" disable security checks
2023-02-19T11:45:16.857 0530	DEBUG	cache dir:   /home/rams3sh/.cache
2023-02-19T11:45:16.859 0530	DEBUG	Image ID: sha256:be2b798b1f014b40e0be22482a1695d6cf75ccc5cb3800227400f641b179882b
2023-02-19T11:45:16.859 0530	DEBUG	Diff IDs: [sha256:30d61bb737bb9be7178afce441d0ca5098909a59001a0301d3b50544e659ace1 sha256:839908cdca3a3dbaa6353d7db09fe02bb645753dce91f99df2c4adfcb0b940a2 sha256:79dbb8edbccc7f62667f2eb03043d56079a703ef3b4b5690b223b388fefda07b sha256:bca5e42517cec20628c862138ea188ef813064c96a639bf98d078b8742f6479f]
2023-02-19T11:45:16.859 0530	DEBUG	Base Layers: [sha256:30d61bb737bb9be7178afce441d0ca5098909a59001a0301d3b50544e659ace1]

 rams3sh@lab$ trivy sbom sbom.json -f json -o sbom_scan.json --debug
2023-02-19T11:45:34.282 0530	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-19T11:45:34.284 0530	DEBUG	cache dir:  /home/rams3sh/.cache
2023-02-19T11:45:34.284 0530	DEBUG	DB update was skipped because the local DB is the latest
2023-02-19T11:45:34.284 0530	DEBUG	DB Schema: 2, UpdatedAt: 2023-02-19 06:07:04.912156438  0000 UTC, NextUpdate: 2023-02-19 12:07:04.912156038  0000 UTC, DownloadedAt: 2023-02-19 06:10:26.693338148  0000 UTC
2023-02-19T11:45:34.284 0530	INFO	Vulnerability scanning is enabled
2023-02-19T11:45:34.284 0530	DEBUG	Vulnerability type:  [os library]
2023-02-19T11:45:34.285 0530	INFO	Detected SBOM format: spdx-json
2023-02-19T11:45:34.289 0530	INFO	Detected OS: alpine
2023-02-19T11:45:34.289 0530	INFO	Detecting Alpine vulnerabilities...
2023-02-19T11:45:34.289 0530	DEBUG	alpine: os version: 3.14
2023-02-19T11:45:34.289 0530	DEBUG	alpine: package repository: 
2023-02-19T11:45:34.289 0530	DEBUG	alpine: the number of packages: 26
2023-02-19T11:45:34.290 0530	INFO	Number of language-specific files: 3
2023-02-19T11:45:34.290 0530	INFO	Detecting gobinary vulnerabilities...
2023-02-19T11:45:34.290 0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/resource/out
2023-02-19T11:45:34.290 0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/resource/check
2023-02-19T11:45:34.290 0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: opt/resource/in

Output of trivy -v:

rams3sh@lab$ trivy -v
Version: 0.36.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-02-19 06:07:04.912156438  0000 UTC
  NextUpdate: 2023-02-19 12:07:04.912156038  0000 UTC
  DownloadedAt: 2023-02-19 06:10:26.693338148  0000 UTC

Additional details (base image name, container registry info...):

The files are attached with this issue for troubleshooting.

Uploading json files as txt files since Github does'nt seem to allow me to upload json files.

SBOM SPDX json file of the container image -> sbom.txt
Container Scan json output -> container_scan.txt
SBOM Scan json output -> sbom_scan.txt

container_scan.txt
sbom.txt
sbom_scan.txt
@rams3sh rams3sh added the kind/bug Categorizes issue or PR as related to a bug. label Feb 19, 2023
@itaysk itaysk added the scan/vulnerability Issues relating to vulnerability scanning label Feb 19, 2023
@masahiro331 masahiro331 self-assigned this Feb 26, 2023
@masahiro331
Copy link
Contributor

The Alpine repository information (edge) is not output as SBOM, the data source to be referenced differs between when detecting from an image and when detecting from SBOM, and the detection results change.

@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Apr 28, 2023
@rams3sh
Copy link
Author

rams3sh commented Apr 28, 2023

Commenting to just keep it active

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Apr 29, 2023
@knqyf263 knqyf263 added the priority/backlog Higher priority than priority/awaiting-more-evidence. label May 8, 2023
@Bit-Doctor
Copy link

Bit-Doctor commented Apr 4, 2024
edited
Loading

A simple example is comparing:

> trivy image alpine:20231219 --format cyclonedx > alpine.sbom
> trivy sbom alpine.sbom
....
alpine.sbom (alpine 3.20.0_alpha20231219)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

With

> trivy image alpine:20231219
....
alpine:20231219 (alpine 3.20.0_alpha20231219)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@masahiro331 masahiro331

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/vulnerability Issues relating to vulnerability scanning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Bit-Doctor @itaysk @knqyf263 @rams3sh @masahiro331