False detection of CVE-2020-8559 in k8s.io/apimachinery

[ajchiarello]

IDs

CVE-2020-8559

Description

It looks like it is conflating the versions of Kubernetes that are vulnerable (v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6) with the version of the apimachinery library (which follows a different versioning scheme with the most recent version being v0.30.0 from last week.

Reproduction Steps

1. Scan something that contains the k8s.io/apimachinery library with trivy (notably, trivy itself has this library). 
2. Compare the installed version and the fixed version.

Target

Container Image

Scanner

Vulnerability

Target OS

alpine 3.19, among others.

Debug Output

trivy image ghcr.io/mariadb-operator/mariadb-operator:v0.0.27 --scanners vuln --debug
2024-04-25T10:36:20.008-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-25T10:36:20.008-0400    DEBUG   Ignore statuses {"statuses": null}
2024-04-25T10:36:20.009-0400    DEBUG   cache dir:  /home/andrew/.cache/trivy
2024-04-25T10:36:20.009-0400    DEBUG   DB update was skipped because the local DB is the latest
2024-04-25T10:36:20.009-0400    DEBUG   DB Schema: 2, UpdatedAt: 2024-04-25 12:12:20.162732803 +0000 UTC, NextUpdate: 2024-04-25 18:12:20.162732522 +0000 UTC, DownloadedAt: 2024-04-25 14:26:52.066585145 +0000 UTC
2024-04-25T10:36:20.009-0400    INFO    Vulnerability scanning is enabled
2024-04-25T10:36:20.009-0400    DEBUG   Vulnerability type:  [os library]
2024-04-25T10:36:20.009-0400    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-25T10:36:20.181-0400    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-04-25T10:36:20.246-0400    DEBUG   Image ID: sha256:b16cd260a25e23e7d87130b2557e6d5d9c4ac906361aa1a9f1c985ded1c9d89a
2024-04-25T10:36:20.246-0400    DEBUG   Diff IDs: [sha256:70c35736547b3e931b1a31e6d5e7df15ca445f3923da9c5bf966e67fe7f08564 sha256:6fbdf253bbc2490dcfede5bdb58ca0db63ee8aff565f6ea9f918f3bce9e2d5aa sha256:1df9699731f7846ad827986563c27981294fd53a7ce7b4665f87936b0d9a7945 sha256:ff5700ec54186528cbae40f54c24b1a34fb7c01527beaa1232868c16e2353f52 sha256:d52f02c6501c9c4410568f0bf6ff30d30d8290f57794c308fe36ea78393afac2 sha256:e624a5370eca2b8266e74d179326e2a8767d361db14d13edd9fb57e408731784 sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849 sha256:d2d7ec0f6756eb51cf1602c6f8ac4dd811d3d052661142e0110357bf0b581457 sha256:4cb10dd2545bd173858450b80853b850e49608260f1a0789e0d0b39edf12f500 sha256:3530b1ca937942b143c0be149e7222f5931a7466e2a86560282fa2a12548765e]
2024-04-25T10:36:20.246-0400    DEBUG   Base Layers: []
2024-04-25T10:36:20.248-0400    DEBUG   Missing image ID in cache: sha256:b16cd260a25e23e7d87130b2557e6d5d9c4ac906361aa1a9f1c985ded1c9d89a
2024-04-25T10:36:20.250-0400    DEBUG   No secrets found in container image config
2024-04-25T10:36:20.252-0400    INFO    Detected OS: debian
2024-04-25T10:36:20.252-0400    INFO    Detecting Debian vulnerabilities...
2024-04-25T10:36:20.252-0400    DEBUG   debian: os version: 11
2024-04-25T10:36:20.252-0400    DEBUG   debian: the number of packages: 3
2024-04-25T10:36:20.253-0400    INFO    Number of language-specific files: 1
2024-04-25T10:36:20.253-0400    INFO    Detecting gobinary vulnerabilities...
2024-04-25T10:36:20.253-0400    DEBUG   Detecting library vulnerabilities, type: gobinary, path: bin/mariadb-operator

ghcr.io/mariadb-operator/mariadb-operator:v0.0.27 (debian 11.9)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


bin/mariadb-operator (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

lqqqqqqqqqqqqqqqqqqqqqqqqqqqq_qqqqqqqqqqqqqqqq_qqqqqqqqqq_qqqqqqqq_qqqqqqqqqqqqqqqqqqq_qqqqqqqqqqqqqqqqqqqqqqqqq_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x          Library           x Vulnerability  x Severity x Status x Installed Version x      Fixed Version      x                            Title                             x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqnqqqqqqqqqqnqqqqqqqqnqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x golang.org/x/net           x CVE-2023-45288 x MEDIUM   x fixed  x v0.19.0           x 0.23.0                  x golang: net/http, x/net/http2: unlimited number of           x
x                            x                x          x        x                   x                         x CONTINUATION frames causes DoS                               x
x                            x                x          x        x                   x                         x https://avd.aquasec.com/nvd/cve-2023-45288                   x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqu          x        tqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x google.golang.org/protobuf x CVE-2024-24786 x          x        x v1.30.0           x 1.33.0                  x golang-protobuf: encoding/protojson, internal/encoding/json: x
x                            x                x          x        x                   x                         x infinite loop in protojson.Unmarshal when unmarshaling       x
x                            x                x          x        x                   x                         x certain forms of...                                          x
x                            x                x          x        x                   x                         x https://avd.aquasec.com/nvd/cve-2024-24786                   x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqu          x        tqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqnqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x k8s.io/apimachinery        x CVE-2020-8559  x          x        x v0.28.1           x 1.16.13, 1.17.9, 1.18.7 x kubernetes: compromised node could escalate to cluster level x
x                            x                x          x        x                   x                         x privileges                                                   x
x                            x                x          x        x                   x                         x https://avd.aquasec.com/nvd/cve-2020-8559                    x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqvqqqqqqqqqqvqqqqqqqqvqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqqvqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

Version

trivy --version
Version: 0.50.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-25 12:12:20.162732803 +0000 UTC
  NextUpdate: 2024-04-25 18:12:20.162732522 +0000 UTC
  DownloadedAt: 2024-04-25 14:26:52.066585145 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-02 01:10:45.729907646 +0000 UTC
  NextUpdate: 2023-10-05 01:10:45.729907346 +0000 UTC
  DownloadedAt: 2023-10-02 18:12:32.286791891 +0000 UTC
Policy Bundle:
  Digest: sha256:030345bff4845bae1c89450da85681bc25c0c40d2144a0d9db5254674d155298
  DownloadedAt: 2023-06-14 23:25:11.805954799 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[erpel]

Updating the database today seems to have resolved this for me:

Version: 0.50.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-26 06:10:53.651927616 +0000 UTC
  NextUpdate: 2024-04-26 12:10:53.651927476 +0000 UTC
  DownloadedAt: 2024-04-26 06:52:50.329911 +0000 UTC

[knqyf263]

GitHub fixed the advisory.
github/advisory-database@15bb6d9#diff-0f9d563624998bbc96dbe420f2027f81042069dcf1ca09c790fb2b6df9567efa