Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy incorrectly reports vulnerability for non-affected version of logj4j-core CVE-2020-9488 #6062

Closed
2 tasks
levinebw opened this issue Feb 3, 2024 Discussed in #6061 · 1 comment
Closed
2 tasks

Trivy incorrectly reports vulnerability for non-affected version of logj4j-core CVE-2020-9488 #6062

levinebw opened this issue Feb 3, 2024 Discussed in #6061 · 1 comment

Comments

@levinebw
Copy link

levinebw commented Feb 3, 2024

Discussed in #6061

Originally posted by levinebw February 2, 2024

Description

[email protected] is not affected by CVE-2020-9488 however Trivy incorrectly reports a vulnerability finding.
The NVD states Fixed in Apache Log4j 2.12.3, however Trivy and Aquasec are reporing a vulnerability for Log4j 2.12.4

This was reported as fixed here (#3884), however it is not fixed. Evidence included shows there is still a bug.

Desired Behavior

There should be no finding reported for CVE-2020-9488 for [email protected]

Actual Behavior

Reproduction example

sh-3.2$ cat test2.cdx.json 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:35f74310-e003-4841-93d8-6279d4425e49",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.38.3"
      }
    ]
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:maven/org.apache.logging.log4j/[email protected]?file_path=workspace%2FBOOT-INF%2Flib%2Ftest.jar",
      "name": "org.apache.logging.log4j:log4j-core",
      "version": "2.12.4",
      "purl": "pkg:maven/org.apache.logging.log4j/[email protected]"
    }
  ]
}
sh-3.2$ trivy sbom ./test2.cdx.json 
2024-02-02T17:35:43.326-0700	INFO	Vulnerability scanning is enabled
2024-02-02T17:35:43.326-0700	INFO	Detected SBOM format: cyclonedx-json
2024-02-02T17:35:43.327-0700	WARN	Ignore the OS package as no OS information is found.
2024-02-02T17:35:43.336-0700	INFO	Number of language-specific files: 1
2024-02-02T17:35:43.336-0700	INFO	Detecting jar vulnerabilities...

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2020-9488 │ LOW      │ fixed  │ 2.12.4            │ 2.13.2        │ log4j: improper validation of certificate with host mismatch │
│                                     │               │          │        │                   │               │ in SMTP appender                                             │
│                                     │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-9488                    │
└─────────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
sh-3.2$ trivy --version
Version: 0.49.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-03 00:16:51.194236762 +0000 UTC
  NextUpdate: 2024-02-03 06:16:51.194236371 +0000 UTC
  DownloadedAt: 2024-02-03 00:23:44.579622 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-09 00:47:12.747790854 +0000 UTC
  NextUpdate: 2024-01-12 00:47:12.747790693 +0000 UTC
  DownloadedAt: 2024-01-09 03:36:21.607911 +0000 UTC
sh-3.2$

Reproduction Steps

see above

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

sh-3.2$ trivy sbom ./test2.cdx.json --debug
2024-02-02T17:38:16.841-0700	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-02T17:38:16.841-0700	DEBUG	Ignore statuses	{"statuses": null}
2024-02-02T17:38:16.853-0700	DEBUG	cache dir:  /Users/brianlevine/Library/Caches/trivy
2024-02-02T17:38:16.853-0700	DEBUG	DB update was skipped because the local DB is the latest
2024-02-02T17:38:16.853-0700	DEBUG	DB Schema: 2, UpdatedAt: 2024-02-03 00:16:51.194236762 +0000 UTC, NextUpdate: 2024-02-03 06:16:51.194236371 +0000 UTC, DownloadedAt: 2024-02-03 00:23:44.579622 +0000 UTC
2024-02-02T17:38:16.853-0700	INFO	Vulnerability scanning is enabled
2024-02-02T17:38:16.853-0700	DEBUG	Vulnerability type:  [os library]
2024-02-02T17:38:16.853-0700	DEBUG	Enabling misconfiguration scanners: []
2024-02-02T17:38:16.853-0700	INFO	Detected SBOM format: cyclonedx-json
2024-02-02T17:38:16.853-0700	DEBUG	Unmarshaling CycloneDX JSON...
2024-02-02T17:38:16.854-0700	WARN	Ignore the OS package as no OS information is found.
2024-02-02T17:38:16.864-0700	DEBUG	OS is not detected.
2024-02-02T17:38:16.864-0700	DEBUG	Detected OS: unknown
2024-02-02T17:38:16.864-0700	INFO	Number of language-specific files: 1
2024-02-02T17:38:16.864-0700	INFO	Detecting jar vulnerabilities...
2024-02-02T17:38:16.864-0700	DEBUG	Detecting library vulnerabilities, type: jar, path: 

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.logging.log4j:log4j-core │ CVE-2020-9488 │ LOW      │ fixed  │ 2.12.4            │ 2.13.2        │ log4j: improper validation of certificate with host mismatch │
│                                     │               │          │        │                   │               │ in SMTP appender                                             │
│                                     │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-9488                    │
└─────────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
sh-3.2$ 


### Operating System

MacOS

### Version

```bash
sh-3.2$ trivy --version
Version: 0.49.0

Checklist
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 3, 2024

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@levinebw