trivy: InstalledVersion comparison doesn't process "epoch" value in debian package version numbers
Description
trivy rootfs -s HIGH -f json /
shows several packages are vulnerable due to incorrect version comparison.
For example, the debian package named zabbix-get
with version 1:5.0.20-1+bionic
is flagged as a “HIGH” severity vulnerability, but the details indicate that only versions before 2.2.x, 3.0.31 and 3.2 are vulnerable.
What did you expect to happen?
I expected that the epoch 1:
value would be handled correctly (see http://manpages.ubuntu.com/manpages/trusty/man5/deb-version.5.html ), and Trivy would see that version 5.0.20 is more recent than the vulnerable versions.
What happened instead?
It incorrectly declares multiple packages to be vulnerable:
{
"VulnerabilityID": "CVE-2020-11800",
"PkgName": "zabbix-get",
"InstalledVersion": "1:5.0.20-1+bionic",
"Layer": {},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-11800",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"Title": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote att ...",
"Description": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.",
"Severity": "HIGH",
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11800",
"https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/85453e04656fc7bd8a6790f5295d79410101745c",
"https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html",
"https://support.zabbix.com/browse/DEV-1538",
"https://support.zabbix.com/browse/ZBX-17600",
"https://support.zabbix.com/browse/ZBXSEC-30",
"https://support.zabbix.com/browse/ZBXSEC-30 (not public)"
],
"PublishedDate": "2020-10-07T16:15:00Z",
"LastModifiedDate": "2022-01-01T18:16:00Z"
}
Output of run with -debug
:
(2237 lines of files scanned, not very useful for this report.)
Output of trivy -v
:
Version: 0.24.4
Vulnerability DB:
Version: 2
UpdatedAt: 2022-03-29 06:06:20.605614808 +0000 UTC
NextUpdate: 2022-03-29 12:06:20.605614408 +0000 UTC
DownloadedAt: 2022-03-29 06:17:15.692256189 +0000 UTC
Additional details (base image name, container registry info…):
OS: Ubuntu 18.04
We’re evaluating Trivy for use in our organization.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 30
Hello @PenelopeFudd Thanks for your report!
I will try to reproduce your problem and write to you later.
Regards. Dmitriy
@DmitriyLewen Could you take a look? We are supposed to handle epoch properly.