trivy: NET6 CVE-2019-0980 CVE-2019-0981 - possible bug in .deps.json trans deps resolution
Hi,
we are running NET6 images , but we get this 2019 vulnerability reported when running our trivy scans.
is this actually expected or could it be a false positive?
atm we added
CVE-2019-0980 CVE-2019-0981
but we cannot detect the source of the vulnerability after we updated all our packages
System.Private.Uri │ CVE-2019-0980 │ HIGH │ 4.3.0 │ 4.3.2
i am not sure we actually use this package, i see it not appearing at all after running
dotnet build
and then
dotnet publish
and checking the .deps.json file
i think the recently introduced support for .deps.json might be buggy?
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 10
- Comments: 44
@DmitriyLewen My example clearly shows that the container is using version
6.0.922.41905
ofSystem.Private.Uri
not4.3.0
. Just because a version is in the .deps.json does not mean it the version actually in use. The *.deps.json method used by trivy may work for directly referenced packages but can’t be used universally for everything in the *.deps.json. I am not familiar enough to suggest how this should work but the existing approach is definitely incorrect.@DmitriyLewen I don’t know enough about the
deps.json
to suggest the best way to do this. You would need to get feedback from someone on the dotnet team.A potential improvement to the current would be to check the if the file exists in the same folder as the
deps.json
file. That would let you know the file is being provided by the app instead of the runtime (although not foolproof as the loading behavior can be customized). I did experiment and published the same app using a self-contained deployment the assembly version ofSystem.Private.Uri
in thedeps.json
file was set to6.0.0.0
and file version to6.0.422.16404
so it appears that it will show the correct version if it is including it in the deployment. For assemblies the runtime is supposed to provide (non self-contained) it must put the lowest compatible version or something similar into thedeps.json
which is what is triggering the false positive from aqua.I also noticed it tags a
fileVersion
to anything it includes under thetargets
section of thedeps.json
so that may be able to be used to filter out assemblies provided by the runtime (if no fileVersion given) and shouldn’t be included in scans (assuming aqua validates the runtime version has no vulns).I agree, the method of scanning deps.json for vulnerabilities is not valid, or at least needs some tweaking. We’re using the latest versions of
System.Private.Uri
included with .net 6 but aqua is flagging these containers as vulnerable:~The lock file is for direct / transitive package dependencies.
System.Private.Uri
is part of the runtime not a direct / transitive dependency~. It does not have to be referenced in a project to be used. edit: it appears that this is incorrect and the lock file does include the runtime packages under some circumstances, see @DmitriyLewen comments belowYou shouldn’t add those packages (including
System.Private.Uri
) to a project. Going to nuget we see the description of the package isInternal implementation package not meant for direct consumption. Please do not reference directly. Provides implementation of System.Uri.
The core of the issue is the
.deps.json
does not universally tell you what version is in the container or what version will be used when the app is executed but trivy is treating it that way. dotnet uses a combination of the.deps.json
and what assemblies are available to determine what is actually used. You can validate this by modifying values in the.deps.json
to non-existent versions (or even deleting the file) and the app will usually run fine. The current behavior is to add in version4.3.0
to thedeps.json
for the dependencies included by the dotnet runtime for--self-contained false
published apps but I don’t see that documented anywhere and may change. As I mentioned before an improvement would be to only look at data in thedeps.json
that has afileVersion
but I wasn’t able to find documentation on when / why that is provided so may change as well.As @plaisted mentioned: Maybe the solution to this is to indeed scan versions based on files included. This would work for both self-contained builds and the packages-only for regular builds:
For regular builds, we would need to check the files without a fileversion in order to include the vulnerabilities present in the runtime
Bump. Until Trivy understands how .NET resolves transitive dependencies, Trivy is unusable for .NET projects.
@JoostvdB94 Perhaps i confused you. I meant that there is no information in the GitHub database that the framework has vulnerabilities (only in the description, but there are no rules for the description and we cannot parse it). Therefore, we cannot obtain information about vulnerabilities for frameworks.
The package that causes it in my case targets netcore1.1: https://www.nuget.org/packages/JsonDiffPatch
I think the lock file only specifies which
packages
it uses. Technically, theSystem.Private.Uri
is not a package, as it is part of the dotnet runtime. That is why the .dll is present in self-contained builds, where the runtime does not need to be installed on the system that the app is running on, but the dll is missing in regular builds where the runtime needs to be installed on the system running the app.In my opinion, we should treat both separately:
The question then is: How would we separate those 2 checks?