GoLang Prometheus module versions trigger false CVE-2019-3826 alert

[ksylvan]

IDs

CVE-2019-3826

Description

Scanning a GoLang based image that uses https://github.com/prometheus/prometheus gives the following scan results:

That's because the module is https://pkg.go.dev/github.com/prometheus/[email protected] that corresponds to the latest Prometheus version (2.44.0).

Prometheus README about the weird Go module numbering:

https://github.com/prometheus/prometheus#prometheus-code-base

 Quoting from the README:
 

Prometheus code base

In order to comply with go mod rules, Prometheus release number do not exactly match Go module releases. For the Prometheus v2.y.z releases, we are publishing equivalent v0.y.z tags.

Therefore, a user that would want to use Prometheus v2.35.0 as a library could do:

go get [github.com/prometheus/[email protected]](mailto:github.com/prometheus/[email protected])

Reproduction Steps

1. Run the scanner:

 docker run --rm -it -v $HOME/trivy-cache:/root/.cache/ aquasec/trivy:0.41.0 image devopsfaith/krakend:2.3.2

2. Look at the results:

├──────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/prometheus/prometheus │ CVE-2019-3826  │          │ v0.40.5           │ v2.7.1        │ prometheus: Stored DOM cross-site scripting (XSS) attack via │
│                                  │                │          │                   │               │ crafted URL                                                  │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3826                    │
└──────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

3. Be alarmed(!!!) at the Medium level vullnerability.

### Target

Container Image

### Scanner

Vulnerability

### Target OS

_No response_

### Debug Output

```bash
$ docker run --rm -it -v $HOME/trivy-cache:/root/.cache/ aquasec/trivy:0.41.0 image devopsfaith/krakend:2.3.2 --debug
2023-05-26T20:23:50.383Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-26T20:23:50.388Z        DEBUG   cache dir:  /root/.cache/trivy
2023-05-26T20:23:50.388Z        DEBUG   DB update was skipped because the local DB is the latest
2023-05-26T20:23:50.388Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-05-26 18:08:44.111473844 +0000 UTC, NextUpdate: 2023-05-27 00:08:44.111473444 +0000 UTC, DownloadedAt: 2023-05-26 20:17:01.928987757 +0000 UTC
2023-05-26T20:23:50.388Z        INFO    Vulnerability scanning is enabled
2023-05-26T20:23:50.388Z        DEBUG   Vulnerability type:  [os library]
2023-05-26T20:23:50.388Z        INFO    Secret scanning is enabled
2023-05-26T20:23:50.388Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-26T20:23:50.388Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-26T20:23:59.581Z        DEBUG   No secret config detected: trivy-secret.yaml
2023-05-26T20:24:04.004Z        DEBUG   Image ID: sha256:e77997d1858f7e078146ff12adabbc4d36c20fd35e73510e0af10199a9fff653
2023-05-26T20:24:04.004Z        DEBUG   Diff IDs: [sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5 sha256:6bf1463ceb59f32dbaaa24e43e539f50bedea7e4dbc71b8e6b25d6f2c930d5a2 sha256:6fbfdec315cf2eb8cd71734937af9501daa5d2803d8b4af87ad11a6cf063fa4b sha256:e7522b117925bbfda3e2fa9b0ffdb45dabc793388b3b8149619e175e9097efb7 sha256:4a1908378084e832317ce625fa6476ac79b16a54367394425a91530b20989cab]
2023-05-26T20:24:04.004Z        DEBUG   Base Layers: [sha256:f1417ff83b319fbdae6dd9cd6d8c9c88002dcd75ecf6ec201c8c6894681cf2b5]
2023-05-26T20:24:04.006Z        INFO    Detected OS: alpine
2023-05-26T20:24:04.006Z        INFO    Detecting Alpine vulnerabilities...
2023-05-26T20:24:04.006Z        DEBUG   alpine: os version: 3.17
2023-05-26T20:24:04.006Z        DEBUG   alpine: package repository: 3.17
2023-05-26T20:24:04.006Z        DEBUG   alpine: the number of packages: 19
2023-05-26T20:24:04.007Z        INFO    Number of language-specific files: 1
2023-05-26T20:24:04.007Z        INFO    Detecting gobinary vulnerabilities...
2023-05-26T20:24:04.007Z        DEBUG   Detecting library vulnerabilities, type: gobinary, path: usr/bin/krakend

devopsfaith/krakend:2.3.2 (alpine 3.17.3)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-1255 │ MEDIUM   │ 3.0.8-r3          │ 3.0.8-r4      │ Input buffer over-read in AES-XTS implementation on 64 bit │
│            │               │          │                   │               │ ARM                                                        │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1255                  │
├────────────┤               │          │                   │               │                                                            │
│ libssl3    │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

usr/bin/krakend (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go        │ CVE-2020-8911  │ MEDIUM   │ v1.44.151         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto    │
│                                  │                │          │                   │               │ SDK for golang...                                            │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                    │
│                                  ├────────────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                  │ CVE-2020-8912  │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto   │
│                                  │                │          │                   │               │ SDK for golang...                                            │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                    │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/gin-gonic/gin         │ CVE-2023-29401 │ MEDIUM   │ v1.9.0            │               │ Gin Web Framework does not properly sanitize filename        │
│                                  │                │          │                   │               │ parameter of Context.FileAttachment function...              │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29401                   │
├──────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/prometheus/prometheus │ CVE-2019-3826  │          │ v0.40.5           │ v2.7.1        │ prometheus: Stored DOM cross-site scripting (XSS) attack via │
│                                  │                │          │                   │               │ crafted URL                                                  │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-3826                    │
└──────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Version

Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-26 18:08:44.111473844 +0000 UTC
  NextUpdate: 2023-05-27 00:08:44.111473444 +0000 UTC
  DownloadedAt: 2023-05-26 20:17:01.928987757 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

Same one? @DmitriyLewen
#2992

[DmitriyLewen]

Right. github.com/prometheus/prometheus didn't migrate to v2 version.

[ksylvan]

Yes, same one. We can close it.

[DmitriyLewen]

Duplicate of #2992

[ksylvan]

prometheus/prometheus#12403

[ksylvan]

@DmitriyLewen Did you guys change something? Because with no changes on my end or in the devopsfaith/krakend:2.3.2 image, the vulnerability about prometheus is no longer there.

[DmitriyLewen]

Hello @ksylvan !

We have migrated from GitLab advisory database to GitHub advisory database.
It is strange but looks like ghsa and go vulndb don't contain this CVE.

[DmitriyLewen]

I created issue for GitHub - github/advisory-database#2341

[roidelapluie]

The security vulnerability was not even in the go code.