Containers-roadmap: [ECR] [request]: Improve scanning
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Please improve the scanning quality and reduce the amount of false positives.
Which service(s) is this request for?
ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
The current ECR image scanning feature produces a lot of false positives in a typical ubuntu lamp container. These are some examples:
CVE-2017-9118 php7.2:7.2.24-0ubuntu0.18.04.1 MEDIUM PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.
CVE-2019-13752 sqlite3:3.22.0-1ubuntu0.2 MEDIUM Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2019-13751 sqlite3:3.22.0-1ubuntu0.2 MEDIUM Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2019-13734 sqlite3:3.22.0-1ubuntu0.2 MEDIUM Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2019-13753 sqlite3:3.22.0-1ubuntu0.2 MEDIUM Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2019-13750 sqlite3:3.22.0-1ubuntu0.2 MEDIUM Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page.
Containers based on alpine do not produce any findings. Which looks strange too...
Are you currently working around this issue?
We cannot rely on this feature and ignore all medium errors because of the high amount of false positives.
Additional context
It looks like the ECR scanning is based on clair scanner. Please solve these problems upstream!
runningman84
>All comments
Something else I've noticed is noise about vulnerabilities that aren't relevant because they're in the kernel (the kernel being part of the host, not the image).
Here's an example from scanning the node:10.20.1 public image:
{'attributes': [{'key': 'package_version',
'value': '4.9.210-1'},
{'key': 'package_name',
'value': 'linux'},
{'key': 'CVSS2_VECTOR',
'value': 'AV:N/AC:M/Au:N/C:C/I:C/A:C'},
{'key': 'CVSS2_SCORE',
'value': '9.3'}],
'description': 'In the Linux kernel '
'5.0.21, mounting a '
'crafted f2fs filesystem '
'image can cause '
'__remove_dirty_segment '
'slab-out-of-bounds write '
'access because an array '
'is bounded by the number '
'of dirty types (8) but '
'the array index can '
'exceed this.',
'name': 'CVE-2019-19814',
'severity': 'CRITICAL',
'uri': 'https://security-tracker.debian.org/tracker/CVE-2019-19814'}
jono-paymark
on 5 May 2020
Related issues
ORESoftware
路
3Comments
groodt
路
3Comments
yavor-atanasov
路
3Comments
miztch
路
3Comments
chungath
路
3Comments
Most helpful comment
Something else I've noticed is noise about vulnerabilities that aren't relevant because they're in the kernel (the kernel being part of the host, not the image).
Here's an example from scanning the
node:10.20.1public image: