Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

Vuln reported on the patched/fixed older versions #1360

Open
verma-preet opened this issue Jan 28, 2022 · 1 comment
Open

Vuln reported on the patched/fixed older versions #1360

verma-preet opened this issue Jan 28, 2022 · 1 comment

Comments

@verma-preet
Copy link

Is this a BUG REPORT or a FEATURE REQUEST? BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable:
Anchore engine version: v0.10.0

What happened:
We scanned a docker image using the Anchore APIs and it reported CVE-2020-25637 vulnerability in three libvrt packages. The json snippet from the results is:

    "vulnerabilities": [
        {
            "feed": "vulnerabilities",
            "feed_group": "alpine:3.15",
            "fix": "6.8.0-r0",
            "nvd_data": [
                {
                    "cvss_v2": {
                        "base_score": 7.2,
                        "exploitability_score": 3.9,
                        "impact_score": 10.0
                    },
                    "cvss_v3": {
                        "base_score": 6.7,
                        "exploitability_score": 0.8,
                        "impact_score": 5.9
                    },
                    "id": "CVE-2020-25637"
                }
            ],
            "package": "libvirt-client-6.6.0-r4",
            "package_cpe": "None",
            "package_cpe23": "None",
            "package_name": "libvirt-client",
            "package_path": "pkgdb",
            "package_type": "APKG",
            "package_version": "6.6.0-r4",
            "severity": "Medium",
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25637",
            "vendor_data": [],
            "vuln": "CVE-2020-25637"
        },
       {
            "feed": "vulnerabilities",
            "feed_group": "alpine:3.15",
            "fix": "6.8.0-r0",
            "nvd_data": [
                {
                    "cvss_v2": {
                        "base_score": 7.2,
                        "exploitability_score": 3.9,
                        "impact_score": 10.0
                    },
                    "cvss_v3": {
                        "base_score": 6.7,
                        "exploitability_score": 0.8,
                        "impact_score": 5.9
                    },
                    "id": "CVE-2020-25637"
                }
            ],
            "package": "libvirt-6.6.0-r4",
            "package_cpe": "None",
            "package_cpe23": "None",
            "package_name": "libvirt",
            "package_path": "pkgdb",
            "package_type": "APKG",
            "package_version": "6.6.0-r4",
            "severity": "Medium",
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25637",
            "vendor_data": [],
            "vuln": "CVE-2020-25637"
        },
       {
            "feed": "vulnerabilities",
            "feed_group": "alpine:3.15",
            "fix": "6.8.0-r0",
            "nvd_data": [
                {
                    "cvss_v2": {
                        "base_score": 7.2,
                        "exploitability_score": 3.9,
                        "impact_score": 10.0
                    },
                    "cvss_v3": {
                        "base_score": 6.7,
                        "exploitability_score": 0.8,
                        "impact_score": 5.9
                    },
                    "id": "CVE-2020-25637"
                }
            ],
            "package": "libvirt-libs-6.6.0-r4",
            "package_cpe": "None",
            "package_cpe23": "None",
            "package_name": "libvirt-libs",
            "package_path": "pkgdb",
            "package_type": "APKG",
            "package_version": "6.6.0-r4",
            "severity": "Medium",
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25637",
            "vendor_data": [],
            "vuln": "CVE-2020-25637"
        },
.....

More evidence on the libvrt versions inside our image:

$ docker run -it --rm --entrypoint bash stunnel-sidecar:0a0d82ec9f135fd38056dadbaddef1afee41dc34-amd64
bash-5.1$ apk -v info | grep libvirt
libvirt-libs-6.6.0-r4
libvirt-6.6.0-r4
libvirt-client-6.6.0-r4
bash-5.1$

What did you expect to happen:

According to Alpine (see https://security.alpinelinux.org/vuln/CVE-2020-25637), version 6.6.0-r4 was patched and Anchore should not report a vulnerability but it does. Anchore needs to recognize that upgrading to a later version with the fix is not the only solution when the fix has also been backported to older versions.
@cjyar
Copy link

cjyar commented Feb 3, 2022

I think this is the same as anchore/grype#601.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cjyar @verma-preet