Is Copa only fixing OS type vulnerabilities?
ajmal-yazdani opened this issue · comments
What is your question?
Hi Team/ @sozercan,
I have done patching for bitnami redis image using Copa and while generating vulnerabilities JSON file I am using below command:
sudo trivy image -f json -o redis.11.15.1.json bitnami/redis:7.0.5-debian-11-r15
Please not I am not using --vuln-type os --ignore-unfixed
.
Now I patched this with Copa using below command:
sudo copa patch -i bitnami/redis:7.0.5-debian-11-r15 -r redis.11.15.1.json -t 11.15.1-patched --addr docker-container://buildkitd
After patching when I am doing Trivy scan with flags --vuln-type os --ignore-unfixed`, then zero vulnerabilities. Awesome! :)
$ sudo trivy image --vuln-type os --ignore-unfixed bitnami/redis:11.15.1-patched | grep Total
2024-01-10T09:04:07.339Z INFO Vulnerability scanning is enabled
2024-01-10T09:04:07.339Z INFO Secret scanning is enabled
2024-01-10T09:04:07.339Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-10T09:04:07.339Z INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-10T09:04:12.470Z INFO Detected OS: debian
2024-01-10T09:04:12.470Z INFO Detecting Debian vulnerabilities...
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
But when I am doing Trivy scan with-out flags --vuln-type os --ignore-unfixed`, then lots of vulnerabilities still detected.
$ sudo trivy image bitnami/redis:11.15.1-patched | grep Total
2024-01-10T09:04:24.187Z INFO Vulnerability scanning is enabled
2024-01-10T09:04:24.187Z INFO Secret scanning is enabled
2024-01-10T09:04:24.187Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-10T09:04:24.187Z INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-10T09:04:28.434Z INFO Detected OS: debian
2024-01-10T09:04:28.434Z INFO Detecting Debian vulnerabilities...
2024-01-10T09:04:28.449Z INFO Number of language-specific files: 2
2024-01-10T09:04:28.449Z INFO Detecting gobinary vulnerabilities...
Total: 104 (UNKNOWN: 0, LOW: 77, MEDIUM: 18, HIGH: 7, CRITICAL: 2)
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 1, CRITICAL: 0)
What majorly I am seeing gobinary vulnerabilities. Is there a way to fix all these using Copa?
One more point:
We're using twistlock (prisma cloud)
for image scan and the Vulnerability reports also generates in JSON format.
Attached one sample:
redis1.json
If I am trying to give this JSON file to Copa patch, it's saying not supported.
$ sudo copa patch -i bitnami/redis:7.0.5-debian-11-r15 -r redis1.json -t 7.0.5-patched --addr docker-container://buildkitd
Error: redis1.json is not a supported scan report format
Can we do something here to solve these Vulnerability with Copa?
@ajmal-yazdani copa supports patching OS level vulnerabilities at this time (package manager, like apt, apk, etc, supported components). #147 tracks potentially supporting app-level vulns.