Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan shows vulnerable if some patched packages are installed from PPA #73

Open
philroche opened this issue Feb 25, 2021 · 1 comment
Open

Scan shows vulnerable if some patched packages are installed from PPA #73

philroche opened this issue Feb 25, 2021 · 1 comment

Comments

@philroche
Copy link

Hi,

Firstly, thank you for your work :)

I work on the Canonical Public Cloud team and our partner GKE and their customers are starting to use cvescan to scan for vulnerabilities.

The GKE images we provide to GKE have certain packages installed from a PPA eg. https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s

This PPA has containerd, runc and docker.io and all are up to date and patched... but when scanning the attached manifest cvescan flags the packages as being vulnerable to CVE-2020-15157

$ cvescan -p all --manifest=ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt | grep "docker\.io\|containerd"

CVE-2020-15157  medium      docker.io               19.03.6-0ubuntu1~18.04.2     Ubuntu Archive
CVE-2020-15257  medium      containerd              1.3.3-0ubuntu1~18.04.4       Ubuntu Archive

I can confirm that the versions installed are not vulnerable to CVE-2020-15157.

sudo apt install apt-listchanges
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb
wget https://launchpad.net/~cloud-images/+archive/ubuntu/docker1903-k8s/+files/containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb
apt-listchanges --verbose --frontend text --all ./docker.io_19.03.2-0ubuntu1~18.04.0.2_amd64.deb > docker.io.changelog
apt-listchanges --verbose --frontend text --all ./containerd_1.2.10-0ubuntu1~18.04.0.3_amd64.deb > containerd.changelog
less docker.io.changelog
less containerd.changelog

In the changelog you can see that patches have been applied for CVE-2020-15157.

Is there any way to add support for cvescan to support being able to mark certain package versions from a PPA as being no longer vulnerable to a specific CVE eg. appending to the database used when scanning?

The PPAs GKE and their customers use are all public.

ubuntu-gke-onprem-1804-1-18-v20201203.manifest.txt
@philroche
Copy link
Author

Another reason for adding support for this is when the Ubuntu releases transition to ESM which uses a PPA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@philroche