nginx 3rd party package detection on alpine

[jkroepke]

IDs

CVE-2023-44487

Description

The docker image docker.io/nginxinc/nginx-unprivileged:1.24.0-alpine-slim shows an vulnerability from a nginx package with an fixable version

But this image is using nginx package from a different source (https://nginx.org/packages/alpine/v3.18/main/x86_64/) which does not offering 1.24.0-r7.

I have the feeling that trivy thinks that the nginx package comes from the official sources which is not true in that case. In any case, the status should be "NOT FIXED", since there is no other package version in that 3th party repository.

% trivy image docker.io/nginxinc/nginx-unprivileged:1.24.0-alpine-slim@sha256:77be51a42c5f10888cccf01fed430bf470b28a302b758f36a96bc33f92f7f726
2023-10-23T09:24:16.550+0200    INFO    Vulnerability scanning is enabled
2023-10-23T09:24:16.550+0200    INFO    Secret scanning is enabled
2023-10-23T09:24:16.550+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-23T09:24:16.550+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-23T09:24:18.421+0200    INFO    Detected OS: alpine
2023-10-23T09:24:18.421+0200    INFO    Detecting Alpine vulnerabilities...
2023-10-23T09:24:18.424+0200    INFO    Number of language-specific files: 0

docker.io/nginxinc/nginx-unprivileged:1.24.0-alpine-slim@sha256:77be51a42c5f10888cccf01fed430bf470b28a302b758f36a96bc33f92f7f726 (alpine 3.18.4)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ nginx   │ CVE-2023-44487 │ HIGH     │ fixed  │ 1.24.0-r1         │ 1.24.0-r7     │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│         │                │          │        │                   │               │ attack (Rapid...                                             │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Reproduction Steps

1. trivy image docker.io/nginxinc/nginx-unprivileged:1.24.0-alpine-slim@sha256:77be51a42c5f10888cccf01fed430bf470b28a302b758f36a96bc33f92f7f726
...

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine 3.18

Debug Output

% trivy image docker.io/nginxinc/nginx-unprivileged:1.24.0-alpine-slim@sha256:77be51a42c5f10888cccf01fed430bf470b28a302b758f36a96bc33f92f7f726 --debug
2023-10-23T09:28:51.799+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-23T09:28:51.800+0200    DEBUG   Ignore statuses {"statuses": null}
2023-10-23T09:28:51.857+0200    DEBUG   cache dir:  /Users/jkr/Library/Caches/trivy
2023-10-23T09:28:51.857+0200    DEBUG   DB update was skipped because the local DB is the latest
2023-10-23T09:28:51.857+0200    DEBUG   DB Schema: 2, UpdatedAt: 2023-10-23 06:19:38.415619886 +0000 UTC, NextUpdate: 2023-10-23 12:19:38.415619286 +0000 UTC, DownloadedAt: 2023-10-23 07:23:55.484195 +0000 UTC
2023-10-23T09:28:51.857+0200    INFO    Vulnerability scanning is enabled
2023-10-23T09:28:51.857+0200    DEBUG   Vulnerability type:  [os library]
2023-10-23T09:28:51.857+0200    INFO    Secret scanning is enabled
2023-10-23T09:28:51.857+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-23T09:28:51.857+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-10-23T09:28:53.752+0200    DEBUG   No secret config detected: trivy-secret.yaml
2023-10-23T09:28:53.752+0200    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-10-23T09:28:53.752+0200    DEBUG   No secret config detected: trivy-secret.yaml
2023-10-23T09:28:53.986+0200    DEBUG   Image ID: sha256:0ef4ee975d2719bd2ff328601d33f6d22028c3ca1ceb25c2efb186d60df09bb4
2023-10-23T09:28:53.986+0200    DEBUG   Diff IDs: [sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438 sha256:41a9c0ff0e30c82c77aacc56a7daff1dcb2c10ee35e160f1a954c3cefb5bfec1 sha256:2f179a7b4745ec9943c89c94b0d752572b34ad763b044bfb2db6d359487ab423 sha256:cc806d3d1e65b17aa69b4169f4ab6def441bb89e40573b3cf9d5fe3967d760ec sha256:a1eb42fbe6a713bece847c05fde48a1d6f24dad2857986978c0c17274c0a947a sha256:31c8ac1c409e82f725f98486af229233281360cb98a2910664a7e64dddbd6a88 sha256:d39bdfc88185dd19d5aae953254adb46cce94c29546f50249412e45230ea40fc sha256:1093e83f22f3de56cb076d488f8ae15796bf5aa8cc0e5752fa20110e6bb87dbb]
2023-10-23T09:28:53.986+0200    DEBUG   Base Layers: [sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438]
2023-10-23T09:28:53.988+0200    INFO    Detected OS: alpine
2023-10-23T09:28:53.988+0200    INFO    Detecting Alpine vulnerabilities...
2023-10-23T09:28:53.988+0200    DEBUG   alpine: os version: 3.18
2023-10-23T09:28:53.988+0200    DEBUG   alpine: package repository: 3.18
2023-10-23T09:28:53.988+0200    DEBUG   alpine: the number of packages: 19
2023-10-23T09:28:53.993+0200    INFO    Number of language-specific files: 0

docker.io/nginxinc/nginx-unprivileged:1.24.0-alpine-slim@sha256:77be51a42c5f10888cccf01fed430bf470b28a302b758f36a96bc33f92f7f726 (alpine 3.18.4)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ nginx   │ CVE-2023-44487 │ HIGH     │ fixed  │ 1.24.0-r1         │ 1.24.0-r7     │ Multiple HTTP/2 enabled web servers are vulnerable to a DDoS │
│         │                │          │        │                   │               │ attack (Rapid...                                             │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Version

Version: 0.46.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-23 06:19:38.415619886 +0000 UTC
  NextUpdate: 2023-10-23 12:19:38.415619286 +0000 UTC
  DownloadedAt: 2023-10-23 07:23:55.484195 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-26 00:54:30.554694094 +0000 UTC
  NextUpdate: 2023-05-29 00:54:30.554693594 +0000 UTC
  DownloadedAt: 2023-05-26 14:32:06.229647 +0000 UTC
Policy Bundle:
  Digest: sha256:2e95a2d5d45de8ebecae53a97403230a6c608a579b082f3de170f3cf09e46243
  DownloadedAt: 2023-08-25 20:49:01.993538 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @jkroepke
Thanks for your report.

For all apk packages we use Alpine security database:

• https://aquasecurity.github.io/trivy/v0.46/docs/scanner/vulnerability/#data-source-selection
• https://aquasecurity.github.io/trivy/v0.46/docs/scanner/vulnerability/#supported-os

Alpine says that CVE-2023-44487 has been fixed in 1.24.0-r7:

➜  ~ curl https://secdb.alpinelinux.org/v3.18/main.json | jq '.packages[] | select(.pkg.name == "nginx")'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 64131  100 64131    0     0   160k      0 --:--:-- --:--:-- --:--:--  163k
{
  "pkg": {
    "name": "nginx",
    "secfixes": {
      "0": [
        "CVE-2022-3638"
      ],
      "1.12.1-r0": [
        "CVE-2017-7529"
      ],
      "1.14.1-r0": [
        "CVE-2018-16843",
        "CVE-2018-16844",
        "CVE-2018-16845"
      ],
      "1.16.1-r0": [
        "CVE-2019-9511",
        "CVE-2019-9513",
        "CVE-2019-9516"
      ],
      "1.16.1-r6": [
        "CVE-2019-20372"
      ],
      "1.20.1-r0": [
        "CVE-2021-23017"
      ],
      "1.20.1-r1": [
        "CVE-2021-3618"
      ],
      "1.20.2-r2": [
        "CVE-2021-46461",
        "CVE-2021-46462",
        "CVE-2021-46463",
        "CVE-2022-25139"
      ],
      "1.22.1-r0": [
        "CVE-2022-41741",
        "CVE-2022-41742"
      ],
      "1.24.0-r7": [
        "CVE-2023-44487"
      ]
    }
  }
}

But this image is using nginx package from a different source

Trivy is currently unable to separate official and third party packages.
You can track changes to this case at #4257.

Regards, Dmitriy

[jkroepke]

Trivy is currently unable to separate official and third party packages.

Thanks. That seems the root cause here.

[DmitriyLewen]

If you need to change report - you can create module for this case.

[DmitriyLewen]

Issue for this problem exists.
I close this discussion. Feel free to reopen it, if you still have questions.