jetstack
trivy scan vulnerability results
What happened?
Ran a trivy scan on quay.io/jetstack/preflight:v0.1.35 eg:
trivy image --output preflight-v0135.txt quay.io/jetstack/preflight:v0.1.35
Results as shown:
quay.io/jetstack/preflight:v0.1.35 (debian 11.2)
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
bin/preflight (gobinary)
========================
Total: 3 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+-----------------------------+------------------+----------+---------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------------------+------------------+----------+---------------------+---------------+---------------------------------------+
| github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | v3.2.0+incompatible | | jwt-go: access restriction |
| | | | | | bypass vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 |
+-----------------------------+------------------+ +---------------------+---------------+---------------------------------------+
| github.com/gogo/protobuf | CVE-2021-3121 | | v1.3.1 | 1.3.2 | gogo/protobuf: |
| | | | | | plugin/unmarshal/unmarshal.go |
| | | | | | lacks certain index validation |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3121 |
+-----------------------------+------------------+----------+---------------------+---------------+---------------------------------------+
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.4 | 0.3.7 | Due to improper index calculation, |
| | | | | | an incorrectly formatted |
| | | | | | language tag can cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 |
+-----------------------------+------------------+----------+---------------------+---------------+---------------------------------------+
Possible fixes
Two of these seem fixable from the output with only minor version updates. I'll see if I can submit a PR for just that.
The trickier one is with jwt-go library, and potentially is fixed in 4.X major release which is in preview:
- CVE-2020-26160
- https://github.com/dgrijalva/jwt-go/releases/tag/v4.0.0-preview1
Even if there is no risk from this specific CVE, perhaps there could be an acknowledgement or known issues reference somewhere? Something to provide context / reasoning as to why it hasn't been remediated.
Raising this for visibility as usually anything HIGH or above would usually flag up with consumers of this image.
Note that I haven't tried any other scanners, and this is only the result from the Open Source version of trivy:
Version: 0.24.4
Vulnerability DB:
Version: 2
UpdatedAt: 2022-03-31 06:08:36.282252727 +0000 UTC
NextUpdate: 2022-03-31 12:08:36.282252527 +0000 UTC
DownloadedAt: 2022-03-31 08:29:09.302116753 +0000 UTC
