Alpine binary packages are not matched to source vulnerabilities
Kieran-Muller opened this issue · comments
Description of Problem / Feature Request
I'm using a vulnerable version of Alpine (3.10.2) which uses a vulnerable version of lybcrypto1.1 as a subpackage of the openssl package.
Expected Outcome
I would expect the package lybcrypto1.1 to be listed in the vulnerabilities and openssl to be listed in the packages.
Actual Outcome
The lybcrypto1.1 package appears as such in the report.
"1974606": {
"id": "1974606",
"name": "libcrypto1.1",
"version": "1.1.1c-r0",
"kind": "binary",
"source": {
"id": "1974605",
"name": "openssl",
"version": "1.1.1c-r0",
"kind": "source"
},
"arch": "x86_64"
},However, there is no entry for openssl in the report.
Taking a look at the database, it would seem that there is only vulnerability data on binary packages for Alpine.
SELECT * FROM public.vuln WHERE dist_id='alpine' AND package_kind='source'This query returned 0 results.
When looking for the CVE `` for Alpine, there are results in the database, but the package_kind is `binary`.
SELECT * FROM public.vuln WHERE dist_id='alpine' AND name='CVE-2019-1549'This did return results for openssl and openssl3 however the package_kind is binary.
It would seem that it is a somewhat similar problem to what was found with Debian in this issue: #1270
Environment
- Clair version/image: 4.4.0
- Clair client name/version:
- Host OS: UBI 8
- Kernel (e.g.
uname -a): - Kubernetes version (use
kubectl version): 1.20 - Network/Firewall setup:
"vulnerabilities": {
"4300623": {
"id": "4300623",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-30139",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30139",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "apk-tools",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "2.10.6-r0"
},
"4300624": {
"id": "4300624",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-36159",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36159",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "apk-tools",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "2.10.7-r0"
},
"4300690": {
"id": "4300690",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-28831",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "busybox",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.30.1-r5"
},
"4301319": {
"id": "4301319",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2020-28928",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "musl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.22-r4"
},
"4301417": {
"id": "4301417",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1547",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r0"
},
"4301418": {
"id": "4301418",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1549",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r0"
},
"4301419": {
"id": "4301419",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1563",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r0"
},
"4301420": {
"id": "4301420",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2019-1551",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1d-r2"
},
"4301421": {
"id": "4301421",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2020-1967",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1g-r0"
},
"4301422": {
"id": "4301422",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2020-1971",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1i-r0"
},
"4301423": {
"id": "4301423",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-23841",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1j-r0"
},
"4301424": {
"id": "4301424",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-23840",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1j-r0"
},
"4301425": {
"id": "4301425",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-23839",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23839",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1j-r0"
},
"4301426": {
"id": "4301426",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-3449",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1k-r0"
},
"4301427": {
"id": "4301427",
"updater": "alpine-main-v3.10-updater",
"name": "CVE-2021-3450",
"description": "",
"issued": "0001-01-01T00:00:00Z",
"links": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450",
"severity": "",
"normalized_severity": "Unknown",
"package": {
"id": "",
"name": "openssl",
"version": "",
"kind": "source",
"normalized_version": "",
"cpe": ""
},
"distribution": {
"id": "",
"did": "alpine",
"name": "Alpine Linux",
"version": "",
"version_code_name": "",
"version_id": "3.10",
"arch": "",
"cpe": "",
"pretty_name": "Alpine Linux v3.10"
},
"repository": {
"cpe": ""
},
"fixed_in_version": "1.1.1k-r0"
}
},The following are results for the container assuming the vulnerabilities reported in alpine feeds are all source vulnerabilities (and ingesting them accordingly). Still need to do some validation on how alpine is reporting these (@kaniini seems to have some insight into how the alpine feed is generated).
/ # wget https://secdb.alpinelinux.org/v3.10/main.json
/ # for i in $(cat main.json | jq .packages[].pkg.name | xargs echo | sed 's/ /\n/g'); do cat /lib/apk/db/installed | grep o:$i$; done
o:apk-tools
o:busybox
o:busybox #P:ssl_client
o:jq
o:musl
o:musl #P:musl-utils
o:oniguruma
o:openssl #P:libcrypto1.1
o:openssl #P:libssl1.1
/ # for i in $(cat main.json | jq .packages[].pkg.name | xargs echo | sed 's/ /\n/g'); do cat /lib/apk/db/installed | grep P:$i$; done
P:apk-tools
P:busybox
P:jq
P:musl
P:onigurumaThis is how the hit-rate would potentially change with a fresh alpine:3.10.2 (with jq installed), this feels right so far.
@crozzy your assumptions are correct as usual, clair should match against the origin fields!
Nice @crozzy, we were considering this as well - seems like the Alpine updater should store vulnerabilities as source packages, rather than binary as it currently does, and that would resolve this issue
I think this is fixed with the linked PR.