Contents

Ubuntu Container Scan with Trivy [2023-04-12]

Contents

Ubuntu Container Security Scan with Trivy [ April 12 2023]

Started by user letslearntigether.info
Obtained Jenkinsfile.trivy-ubuntu from git https://github.com/ffturan/practice.git/
Resume disabled by user, switching to high-performance, low-durability mode.
[Pipeline] Start of Pipeline
[Pipeline] node
Running on Jenkins in /var/lib/jenkins/workspace/trivy-ubuntu
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Declarative: Checkout SCM)
[Pipeline] checkout
The recommended git tool is: NONE
using credential ed599e1d-a641-4f7d-a333-9308281bd4d8
 > git rev-parse --resolve-git-dir /var/lib/jenkins/workspace/trivy-ubuntu/.git # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url https://github.com/ffturan/practice.git/ # timeout=10
Fetching upstream changes from https://github.com/ffturan/practice.git/
 > git --version # timeout=10
 > git --version # 'git version 2.39.2'
using GIT_ASKPASS to set credentials 
 > git fetch --tags --force --progress -- https://github.com/ffturan/practice.git/ +refs/heads/*:refs/remotes/origin/* # timeout=10
 > git rev-parse refs/remotes/origin/main^{commit} # timeout=10
Checking out Revision b6c50fd64b3e46ab9596ec38d5f95e98f9fb2db4 (refs/remotes/origin/main)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f b6c50fd64b3e46ab9596ec38d5f95e98f9fb2db4 # timeout=10
Commit message: "Update"
 > git rev-list --no-walk a7c2c1337bd53f24f943fa37c2ee1f2188c36915 # timeout=10
[Pipeline] }
[Pipeline] // stage
[Pipeline] withEnv
[Pipeline] {
[Pipeline] withEnv
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Build Container)
[Pipeline] echo
Building container !!
[Pipeline] sh
+ cat Dockerfile.ubuntu
FROM public.ecr.aws/docker/library/ubuntu:latest

RUN apt-get -y update && apt-get -y upgrade
[Pipeline] sh
+ docker build -t ubuntu:scan -f Dockerfile.ubuntu .
#1 [internal] load build definition from Dockerfile.ubuntu
#1 transferring dockerfile: 190B 0.0s done
#1 DONE 0.2s

#2 [internal] load .dockerignore
#2 transferring context: 2B done
#2 DONE 0.3s

#3 [internal] load metadata for public.ecr.aws/docker/library/ubuntu:latest
#3 DONE 0.5s

#4 [1/2] FROM public.ecr.aws/docker/library/ubuntu:latest@sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21
#4 DONE 0.0s

#5 [2/2] RUN apt-get -y update && apt-get -y upgrade
#5 CACHED

#6 exporting to image
#6 exporting layers done
#6 writing image sha256:935bfe0854304668b734450b8420c1519232ef7f49912b4252e2166c97f46e69 done
#6 naming to docker.io/library/ubuntu:scan 0.0s done
#6 DONE 0.0s
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Test Container with Trivy)
[Pipeline] sh
+ trivy image ubuntu:scan
2023-04-12T09:17:59.344-0400	INFO	Vulnerability scanning is enabled
2023-04-12T09:17:59.344-0400	INFO	Secret scanning is enabled
2023-04-12T09:17:59.344-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-04-12T09:17:59.344-0400	INFO	Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2023-04-12T09:17:59.350-0400	INFO	Detected OS: ubuntu
2023-04-12T09:17:59.350-0400	INFO	Detecting Ubuntu vulnerabilities...
2023-04-12T09:17:59.365-0400	INFO	Number of language-specific files: 0

ubuntu:scan (ubuntu 22.04)
==========================
Total: 15 (UNKNOWN: 0, LOW: 15, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬──────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │    Installed Version     │ Fixed Version │                            Title                            │
├──────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bash         │ CVE-2022-3715  │ LOW      │ 5.1-6ubuntu1             │               │ bash: a heap-buffer-overflow in valid_parameter_transform   │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-3715                   │
├──────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ coreutils    │ CVE-2016-2781  │          │ 8.32-4.1ubuntu1          │               │ coreutils: Non-privileged session can escape to the parent  │
│              │                │          │                          │               │ session in chroot                                           │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2016-2781                   │
├──────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gpgv         │ CVE-2022-3219  │          │ 2.2.27-3ubuntu2.1        │               │ gnupg: denial of service issue (resource consumption) using │
│              │                │          │                          │               │ compressed packets                                          │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-3219                   │
├──────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin     │ CVE-2016-20013 │          │ 2.35-0ubuntu3.1          │               │ sha256crypt and sha512crypt through 0.6 allow attackers to  │
│              │                │          │                          │               │ cause a denial of...                                        │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2016-20013                  │
├──────────────┤                │          │                          ├───────────────┤                                                             │
│ libc6        │                │          │                          │               │                                                             │
│              │                │          │                          │               │                                                             │
│              │                │          │                          │               │                                                             │
├──────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libncurses6  │ CVE-2022-29458 │          │ 6.3-2                    │               │ ncurses: segfaulting OOB read│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-29458                  │
├──────────────┤                │          │                          ├───────────────┤                                                             │
│ libncursesw6 │                │          │                          │               │                                                             │
│              │                │          │                          │               │                                                             │
├──────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libpcre3     │ CVE-2017-11164 │          │ 2:8.39-13ubuntu0.22.04.1 │               │ pcre: OP_KETRMAX feature in the match function in           │
│              │                │          │                          │               │ pcre_exec.c                                                 │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2017-11164                  │
├──────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3      │ CVE-2022-3996  │          │ 3.0.2-0ubuntu1.8         │               │ openssl: double locking leads to denial of service          │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-3996                   │
│              ├────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │                          │               │ openssl: Denial of service by excessive resource usage in   │
│              │                │          │                          │               │ verifying X509 policy...                                    │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-0464                   │
│              ├────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │                          │               │ openssl: Invalid certificate policies in leaf certificates  │
│              │                │          │                          │               │ are silently ignored                                        │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-0465                   │
│              ├────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0466  │          │                          │               │ openssl: Certificate policy check not enabled               │
│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-0466                   │
├──────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libtinfo6    │ CVE-2022-29458 │          │ 6.3-2                    │               │ ncurses: segfaulting OOB read│              │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-29458                  │
├──────────────┤                │          │                          ├───────────────┤                                                             │
│ ncurses-base │                │          │                          │               │                                                             │
│              │                │          │                          │               │                                                             │
├──────────────┤                │          │                          ├───────────────┤                                                             │
│ ncurses-bin  │                │          │                          │               │                                                             │
│              │                │          │                          │               │                                                             │
└──────────────┴────────────────┴──────────┴──────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (CleanUp)
[Pipeline] sh
++ docker ps --all
++ grep -v CONTAINER
++ gawk '{print $1}'
++ gawk '{print $3}'
++ docker images --all
++ grep -v IMAGE
+ for C in $(docker images --all | gawk {'print $3'} | grep -v IMAGE)
+ docker rmi -f 935bfe085430
Untagged: ubuntu:scan
Deleted: sha256:935bfe0854304668b734450b8420c1519232ef7f49912b4252e2166c97f46e69
+ docker ps --all
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
+ docker images --all
REPOSITORY   TAG       IMAGE ID   CREATED   SIZE
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS