Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy warns "failed to get the vulnerability" about a rejected CVE, CVE-2021-20095 #2623

Open
hlein opened this issue Jul 29, 2022 · 9 comments · May be fixed by aquasecurity/trivy-db#236
Open

Trivy warns "failed to get the vulnerability" about a rejected CVE, CVE-2021-20095 #2623

hlein opened this issue Jul 29, 2022 · 9 comments · May be fixed by aquasecurity/trivy-db#236
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@hlein
Copy link

hlein commented Jul 29, 2022
edited
Loading

Description

When running trivy, a consistent error I'm getting across lots of Docker images is:

Error while getting vulnerability details: failed to get the vulnerability "CVE-2021-20095": no vulnerability details for CVE-2021-20095

I got that error a few days ago using trivy-0.30.2 and a then-current DB, and then again just now with trivy-0.30.4 after making sure I fetched a fresh DB.

If you check out that CVE, its status is REJECTED: https://nvd.nist.gov/vuln/detail/CVE-2021-20095

There's no information there about why, but I think it was a duplicate of https://nvd.nist.gov/vuln/detail/CVE-2021-42771; see more info below that corobrates that.

What did you expect to happen?

trivy to run to completion without errors.

What happened instead?

The above error (along with otherwise successful completion).

Output of run with -debug:

$ trivy image --debug --skip-update --offline-scan -f json --input [image.tar]
...
2022-07-28T20:36:05.833-0600    WARN    Error while getting vulnerability details: failed to get the vulnerability "CVE-2021-20095": no vulnerability details for CVE-2021-20095
2022-07-28T20:36:05.833-0600    WARN    Error while getting vulnerability details: failed to get the vulnerability "CVE-2021-20095": no vulnerability details for CVE-2021-20095
...

I cannot share the full output, but here's a snippet of the resulting json that mentions CVE-2021-20095:

        {
          "VulnerabilityID": "CVE-2021-20095",
          "VendorIDs": [
            "RHSA-2021:4151"
          ],
          "PkgName": "python2",
          "InstalledVersion": "2.7.18-4.module+el8.4.0+9577+0b56c8de",
          "FixedVersion": "2.7.18-7.module+el8.5.0+12203+77770ab7",
          "Layer": {
            "DiffID": "sha256:7cd3f8de903a013ee7f4d6ee792562196e45273f9075c5a244883301e88ad5ae"
          },
          "SeveritySource": "redhat",
          "Severity": "MEDIUM"
        },

And here's one for CVE-2021-42771 that mentions CVE-2021-20095 in the same Title:

        {
          "VulnerabilityID": "CVE-2021-42771",
          "VendorIDs": [
            "RHSA-2021:4151"
          ],
          "PkgName": "python2",
          "InstalledVersion": "2.7.18-4.module+el8.4.0+9577+0b56c8de",
          "FixedVersion": "2.7.18-7.module+el8.5.0+12203+77770ab7",
          "Layer": {
            "DiffID": "sha256:7cd3f8de903a013ee7f4d6ee792562196e45273f9075c5a244883301e88ad5ae"
          },
          "SeveritySource": "redhat",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42771",
          "Title": "CVE-2021-20095 CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code",
          "Description": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-22"
          ],
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 7.8
            },
            "nvd": {
              "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "V2Score": 7.2,
              "V3Score": 7.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 7.8
            }
          },

(These repeat later for python2-libs.)

Output of trivy -v:

$ trivy -v
Version: 
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-07-29 00:11:12.52345116 +0000 UTC
  NextUpdate: 2022-07-29 06:11:12.52345066 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Additional details (base image name, container registry info...):
@hlein hlein added the kind/bug Categorizes issue or PR as related to a bug. label Jul 29, 2022
@DmitriyLewen DmitriyLewen linked a pull request Aug 2, 2022 that will close this issue
Open
@DmitriyLewen
Copy link
Contributor

Hello @hlein
Thanks for your report!

I was able to reproduce your issue and we are working on it.

Regards, Dmitriy

@SushanSuresh
Copy link

Hi,

I am also facing same issue with trivy 0.30.4
Error while getting vulnerability details: failed to get the vulnerability "CVE-2022-3209": no vulnerability details for CVE-2022-3209

@roDew
Copy link

roDew commented Aug 31, 2022

I have exactly the same problem "Error while getting vulnerability details: failed to get the vulnerability "CVE-2022-3209": no vulnerability details for CVE-2022-3209", the scan fails as if it would have vulnerabilities but this is not true

@PenelopeFudd
Copy link

@roDew, I'm getting what you got:

postgres:14.5-alpine (alpine 3.16.2)
====================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────┤
│ libxml2 │ CVE-2022-3209 │ UNKNOWN  │ 2.9.14-r0         │ 2.9.14-r1     │       │
└─────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────┘

However, it's beginning to look like it's a typo: CVE-2022-3209 doesn't exist but CVE-2022-3209 does.

Other databases also have the typo:

Don't know where it came from, but it'd be nice if it were fixed. :-)

@roDew
Copy link

roDew commented Oct 6, 2022

Any news on this topic? :/

@DmitriyLewen
Copy link
Contributor

Hello @roDew

We are still working on this issue.
There are some problems with integrating changes into Trivy-db without creating a new schema for it.

Regards, Dmitriy

@PenelopeFudd
Copy link

One solution I've seen is to cram a json object into a text field, and use that to define new fields.

@github-actions
Copy link

github-actions bot commented Mar 7, 2023

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Mar 7, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 15, 2023
@knqyf263 knqyf263 reopened this May 15, 2023
@knqyf263 knqyf263 added priority/backlog Higher priority than priority/awaiting-more-evidence. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. labels May 15, 2023
@knqyf263 knqyf263 mentioned this issue May 30, 2023
Closed
2 tasks
@salmankhwaja
Copy link

Hi,
Any updates on this issue. I am still receiving this error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(redhat): add rejected vulnerability check for rhsa-xxx aquasecurity/trivy-db
7 participants
@salmankhwaja @PenelopeFudd @knqyf263 @hlein @SushanSuresh @roDew @DmitriyLewen