Image Vulnerability Scanning(Trivy)

1. Trivy扫描图像

github：https://github.com/aquasecurity/trivy

root@node1:~/cks/vul-scan# docker run ghcr.io/aquasecurity/trivy:latest image nginx:latest
2021-05-21T07:53:24.540Z	INFO	Need to update DB
2021-05-21T07:53:24.540Z	INFO	Downloading DB...
2021-05-21T07:53:44.550Z	FATAL	DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 8.8.8.8:53: read udp 172.17.0.3:37595->8.8.8.8:53: i/o timeout
root@node1:~/cks/vul-scan# docker run --net=host  ghcr.io/aquasecurity/trivy:latest image nginx:latest
2021-05-21T07:53:57.092Z	INFO	Need to update DB
2021-05-21T07:53:57.092Z	INFO	Downloading DB...
370.09 KiB / 21.40 MiB [->___________________________________________________________] 1.69% ? p/s ?859.52 KiB / 21.40 MiB [-->__________________________________________________________] 3.92% ? p/s ?1.45 MiB / 21.40 MiB [---->__________________________________________________________] 6.77% ? p/s ?2.09 MiB / 21.40 MiB [---->______________________________________________] 9.77% 2.88 MiB p/s ETA 6s2.73 MiB / 21.40 MiB [------>___________________________________________] 12.76% 2.88 MiB p/s ETA 6s3.43 MiB / 21.40 MiB [-------->_________________________________________] 16.05% 2.88 MiB p/s ETA 6s4.28 MiB / 21.40 MiB [--------->________________________________________] 19.99% 2.93 MiB p/s ETA 5s5.22 MiB / 21.40 MiB [------------>_____________________________________] 24.39% 2.93 MiB p/s ETA 5s6.25 MiB / 21.40 MiB [-------------->___________________________________] 29.19% 2.93 MiB p/s ETA 5s6.96 MiB / 21.40 MiB [---------------->_________________________________] 32.53% 3.03 MiB p/s ETA 4s8.52 MiB / 21.40 MiB [------------------->______________________________] 39.80% 3.03 MiB p/s ETA 4s9.65 MiB / 21.40 MiB [---------------------->___________________________] 45.11% 3.03 MiB p/s ETA 3s10.77 MiB / 21.40 MiB [------------------------>________________________] 50.32% 3.24 MiB p/s ETA 3s12.02 MiB / 21.40 MiB [--------------------------->_____________________] 56.18% 3.24 MiB p/s ETA 2s13.30 MiB / 21.40 MiB [------------------------------>__________________] 62.16% 3.24 MiB p/s ETA 2s14.57 MiB / 21.40 MiB [--------------------------------->_______________] 68.12% 3.44 MiB p/s ETA 1s15.92 MiB / 21.40 MiB [------------------------------------>____________] 74.42% 3.44 MiB p/s ETA 1s17.30 MiB / 21.40 MiB [--------------------------------------->_________] 80.84% 3.44 MiB p/s ETA 1s19.13 MiB / 21.40 MiB [------------------------------------------->_____] 89.40% 3.71 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 5.67 MiB p/s 4s2021-05-21T07:54:20.382Z	INFO	Detected OS: debian
2021-05-21T07:54:20.382Z	INFO	Detecting Debian vulnerabilities...
2021-05-21T07:54:20.437Z	INFO	Number of PL dependency files: 1

nginx:latest (debian 10.9)
==========================
Total: 164 (UNKNOWN: 0, LOW: 110, MEDIUM: 13, HIGH: 29, CRITICAL: 12)

+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
|     LIBRARY      |  VULNERABILITY ID   | SEVERITY |     INSTALLED VERSION     | FIXED VERSION |                            TITLE                             |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| apt              | CVE-2011-3374       | LOW      | 1.8.2.3                   |               | It was found that apt-key in apt,                            |
|                  |                     |          |                           |               | all versions, do not correctly...                            |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+------------------+---------------------+          +---------------------------+---------------+--------------------------------------------------------------+
| bash             | CVE-2019-18276      |          | 5.0-4                     |               | bash: when effective UID is not                              |
|                  |                     |          |                           |               | equal to its real UID the...                                 |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-18276                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | TEMP-0841856-B18BAF |          |                           |               | -->security-tracker.debian.org/tracker/TEMP-0841856-B18BAF   |
+------------------+---------------------+          +---------------------------+---------------+--------------------------------------------------------------+
| coreutils        | CVE-2016-2781       |          | 8.30-3                    |               | coreutils: Non-privileged                                    |
|                  |                     |          |                           |               | session can escape to the                                    |
|                  |                     |          |                           |               | parent session in chroot                                     |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2016-2781                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2017-18018      |          |                           |               | coreutils: race condition                                    |
|                  |                     |          |                           |               | vulnerability in chown and chgrp                             |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2017-18018                        |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| gcc-8-base       | CVE-2018-12886      | HIGH     | 8.3.0-6                   |               | gcc: spilling of stack                                       |
|                  |                     |          |                           |               | protection address in cfgexpand.c                            |
|                  |                     |          |                           |               | and function.c leads to...                                   |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2018-12886                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-15847      |          |                           |               | gcc: POWER9 "DARN" RNG intrinsic                             |
|                  |                     |          |                           |               | produces repeated output                                     |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-15847                        |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| gpgv             | CVE-2019-14855      | LOW      | 2.2.12-1+deb10u1          |               | gnupg2: OpenPGP Key Certification                            |
|                  |                     |          |                           |               | Forgeries with SHA-1                                         |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-14855                        |
+------------------+---------------------+          +---------------------------+---------------+--------------------------------------------------------------+
| libapt-pkg5.0    | CVE-2011-3374       |          | 1.8.2.3                   |               | It was found that apt-key in apt,                            |
|                  |                     |          |                           |               | all versions, do not correctly...                            |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| libc-bin         | CVE-2020-1751       | HIGH     | 2.28-10                   |               | glibc: array overflow in                                     |
|                  |                     |          |                           |               | backtrace functions for powerpc                              |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-1751                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-1752       |          |                           |               | glibc: use-after-free in glob()                              |
|                  |                     |          |                           |               | function when expanding ~user                                |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-1752                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2021-3326       |          |                           |               | glibc: Assertion failure in                                  |
|                  |                     |          |                           |               | ISO-2022-JP-3 gconv module                                   |
|                  |                     |          |                           |               | related to combining characters                              |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2021-3326                         |
+                  +---------------------+----------+                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-25013      | MEDIUM   |                           |               | glibc: buffer over-read in                                   |
|                  |                     |          |                           |               | iconv when processing invalid                                |
|                  |                     |          |                           |               | multi-byte input sequences in...                             |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-25013                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-10029      |          |                           |               | glibc: stack corruption                                      |
|                  |                     |          |                           |               | from crafted input in cosl,                                  |
|                  |                     |          |                           |               | sinl, sincosl, and tanl...                                   |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-10029                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-27618      |          |                           |               | glibc: iconv when processing                                 |
|                  |                     |          |                           |               | invalid multi-byte input                                     |
|                  |                     |          |                           |               | sequences fails to advance the...                            |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-27618                        |
+                  +---------------------+----------+                           +---------------+--------------------------------------------------------------+
|                  | CVE-2010-4051       | LOW      |                           |               | CVE-2010-4052 glibc: De-recursivise                          |
|                  |                     |          |                           |               | regular expression engine                                    |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2010-4051                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2010-4052       |          |                           |               | CVE-2010-4051 CVE-2010-4052                                  |
|                  |                     |          |                           |               | glibc: De-recursivise                                        |
|                  |                     |          |                           |               | regular expression engine                                    |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2010-4052                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2010-4756       |          |                           |               | glibc: glob implementation                                   |
|                  |                     |          |                           |               | can cause excessive CPU and                                  |
|                  |                     |          |                           |               | memory consumption due to...                                 |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2010-4756                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2016-10228      |          |                           |               | glibc: iconv program can hang                                |
|                  |                     |          |                           |               | when invoked with the -c option                              |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2016-10228                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2018-20796      |          |                           |               | glibc: uncontrolled recursion in                             |
|                  |                     |          |                           |               | function check_dst_limits_calc_pos_1                         |
|                  |                     |          |                           |               | in posix/regexec.c                                           |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2018-20796                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010022    |          |                           |               | glibc: stack guard protection bypass                         |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010022                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010023    |          |                           |               | glibc: running ldd on malicious ELF                          |
|                  |                     |          |                           |               | leads to code execution because of...                        |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010023                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010024    |          |                           |               | glibc: ASLR bypass using                                     |
|                  |                     |          |                           |               | cache of thread stack and heap                               |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010024                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010025    |          |                           |               | glibc: information disclosure of heap                        |
|                  |                     |          |                           |               | addresses of pthread_created thread                          |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010025                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-19126      |          |                           |               | glibc: LD_PREFER_MAP_32BIT_EXEC                              |
|                  |                     |          |                           |               | not ignored in setuid binaries                               |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-19126                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-9192       |          |                           |               | glibc: uncontrolled recursion in                             |
|                  |                     |          |                           |               | function check_dst_limits_calc_pos_1                         |
|                  |                     |          |                           |               | in posix/regexec.c                                           |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-9192                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-6096       |          |                           |               | glibc: signed comparison                                     |
|                  |                     |          |                           |               | vulnerability in the                                         |
|                  |                     |          |                           |               | ARMv7 memcpy function                                        |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-6096                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2021-27645      |          |                           |               | glibc: Use-after-free in                                     |
|                  |                     |          |                           |               | addgetnetgrentX function                                     |
|                  |                     |          |                           |               | in netgroupcache.c                                           |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2021-27645                        |




#匹配关键包
root@node1:~/cks/vul-scan# docker run --net=host  ghcr.io/aquasecurity/trivy:latest image nginx:latest |grep CRITICAL
220.74 KiB / 21.40 MiB [>____________________________________________________________] 1.01% ? p/s ?780.25 KiB / 21.40 MiB [-->__________________________________________________________] 3.56% ? p/s ?1.48 MiB / 21.40 MiB [---->__________________________________________________________] 6.91% ? p/s ?2.66 MiB / 21.40 MiB [------>___________________________________________] 12.43% 4.08 MiB p/s ETA 4s3.32 MiB / 21.40 MiB [------->__________________________________________] 15.49% 4.08 MiB p/s ETA 4s3.91 MiB / 21.40 MiB [--------->________________________________________] 18.27% 4.08 MiB p/s ETA 4s5.35 MiB / 21.40 MiB [------------>_____________________________________] 24.99% 4.10 MiB p/s ETA 3s6.36 MiB / 21.40 MiB [-------------->___________________________________] 29.72% 4.10 MiB p/s ETA 3s7.35 MiB / 21.40 MiB [----------------->________________________________] 34.35% 4.10 MiB p/s ETA 3s8.95 MiB / 21.40 MiB [-------------------->_____________________________] 41.84% 4.23 MiB p/s ETA 2s10.56 MiB / 21.40 MiB [------------------------>________________________] 49.34% 4.23 MiB p/s ETA 2s11.74 MiB / 21.40 MiB [-------------------------->______________________] 54.88% 4.23 MiB p/s ETA 2s13.05 MiB / 21.40 MiB [----------------------------->___________________] 60.99% 4.40 MiB p/s ETA 1s14.32 MiB / 21.40 MiB [-------------------------------->________________] 66.93% 4.40 MiB p/s ETA 1s16.19 MiB / 21.40 MiB [------------------------------------->___________] 75.69% 4.40 MiB p/s ETA 1s17.36 MiB / 21.40 MiB [--------------------------------------->_________] 81.13% 4.57 MiB p/s ETA 0s18.94 MiB / 21.40 MiB [------------------------------------------->_____] 88.51% 4.57 MiB p/s ETA 0s21.14 MiB / 21.40 MiB [------------------------------------------------>] 98.78% 4.57 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 6.16 MiB p/s 4sTotal: 164 (UNKNOWN: 0, LOW: 110, MEDIUM: 13, HIGH: 29, CRITICAL: 12)
| libgnutls30      | CVE-2021-20231      | CRITICAL | 3.6.7-4+deb10u6           |               | gnutls: Use after free in                                    |
| libwebp6         | CVE-2018-25009      | CRITICAL | 0.6.1-2                   |               | libwebp: out-of-bounds read                  





# 换个镜像版本
root@node1:~/cks/vul-scan# docker run --net=host  ghcr.io/aquasecurity/trivy:latest image nginx:1.16-alpine
2021-05-21T07:59:24.605Z	INFO	Need to update DB
2021-05-21T07:59:24.605Z	INFO	Downloading DB...
380.49 KiB / 21.40 MiB [->___________________________________________________________] 1.74% ? p/s ?976.27 KiB / 21.40 MiB [-->__________________________________________________________] 4.46% ? p/s ?1.55 MiB / 21.40 MiB [---->__________________________________________________________] 7.23% ? p/s ?2.05 MiB / 21.40 MiB [---->______________________________________________] 9.57% 2.80 MiB p/s ETA 6s2.52 MiB / 21.40 MiB [----->____________________________________________] 11.80% 2.80 MiB p/s ETA 6s3.09 MiB / 21.40 MiB [------->__________________________________________] 14.46% 2.80 MiB p/s ETA 6s3.75 MiB / 21.40 MiB [-------->_________________________________________] 17.55% 2.80 MiB p/s ETA 6s4.41 MiB / 21.40 MiB [---------->_______________________________________] 20.60% 2.80 MiB p/s ETA 6s5.09 MiB / 21.40 MiB [----------->______________________________________] 23.79% 2.80 MiB p/s ETA 5s5.90 MiB / 21.40 MiB [------------->____________________________________] 27.57% 2.85 MiB p/s ETA 5s6.66 MiB / 21.40 MiB [--------------->__________________________________] 31.15% 2.85 MiB p/s ETA 5s7.50 MiB / 21.40 MiB [----------------->________________________________] 35.04% 2.85 MiB p/s ETA 4s8.58 MiB / 21.40 MiB [-------------------->_____________________________] 40.11% 2.95 MiB p/s ETA 4s9.34 MiB / 21.40 MiB [--------------------->____________________________] 43.64% 2.95 MiB p/s ETA 4s10.30 MiB / 21.40 MiB [----------------------->_________________________] 48.16% 2.95 MiB p/s ETA 3s10.78 MiB / 21.40 MiB [------------------------>________________________] 50.39% 3.00 MiB p/s ETA 3s11.31 MiB / 21.40 MiB [------------------------->_______________________] 52.86% 3.00 MiB p/s ETA 3s11.48 MiB / 21.40 MiB [-------------------------->______________________] 53.66% 3.00 MiB p/s ETA 3s11.60 MiB / 21.40 MiB [-------------------------->______________________] 54.21% 2.89 MiB p/s ETA 3s11.70 MiB / 21.40 MiB [-------------------------->______________________] 54.68% 2.89 MiB p/s ETA 3s12.20 MiB / 21.40 MiB [--------------------------->_____________________] 57.02% 2.89 MiB p/s ETA 3s12.96 MiB / 21.40 MiB [----------------------------->___________________] 60.56% 2.86 MiB p/s ETA 2s13.68 MiB / 21.40 MiB [------------------------------->_________________] 63.96% 2.86 MiB p/s ETA 2s13.92 MiB / 21.40 MiB [------------------------------->_________________] 65.05% 2.86 MiB p/s ETA 2s15.22 MiB / 21.40 MiB [---------------------------------->______________] 71.13% 2.92 MiB p/s ETA 2s15.82 MiB / 21.40 MiB [------------------------------------>____________] 73.93% 2.92 MiB p/s ETA 1s16.76 MiB / 21.40 MiB [-------------------------------------->__________] 78.33% 2.92 MiB p/s ETA 1s17.79 MiB / 21.40 MiB [---------------------------------------->________] 83.16% 3.00 MiB p/s ETA 1s18.83 MiB / 21.40 MiB [------------------------------------------->_____] 88.00% 3.00 MiB p/s ETA 0s20.29 MiB / 21.40 MiB [---------------------------------------------->__] 94.85% 3.00 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------->] 100.00% 3.20 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 3.54 MiB p/s 6s2021-05-21T08:00:41.674Z	INFO	Detected OS: alpine
2021-05-21T08:00:41.674Z	INFO	Detecting Alpine vulnerabilities...
2021-05-21T08:00:41.680Z	INFO	Number of PL dependency files: 0
2021-05-21T08:00:41.680Z	WARN	This OS version is no longer supported by the distribution: alpine 3.10.4
2021-05-21T08:00:41.680Z	WARN	The vulnerability detection may be insufficient because security updates are not provided

nginx:1.16-alpine (alpine 3.10.4)
=================================
Total: 26 (UNKNOWN: 0, LOW: 2, MEDIUM: 13, HIGH: 11, CRITICAL: 0)

+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
|    LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools     | CVE-2021-30139   | HIGH     | 2.10.4-r2         | 2.10.6-r0     | In Alpine Linux apk-tools             |
|               |                  |          |                   |               | before 2.12.5, the tarball            |
|               |                  |          |                   |               | parser allows a buffer...             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-30139 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| busybox       | CVE-2021-28831   |          | 1.30.1-r3         | 1.30.1-r5     | busybox: invalid free or segmentation |
|               |                  |          |                   |               | fault via malformed gzip data         |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| freetype      | CVE-2020-15999   | MEDIUM   | 2.10.0-r0         | 2.10.0-r1     | freetype: Heap-based buffer           |
|               |                  |          |                   |               | overflow due to integer               |
|               |                  |          |                   |               | truncation in Load_SBit_Png           |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-15999 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1  | CVE-2020-1967    | HIGH     | 1.1.1d-r2         | 1.1.1g-r0     | openssl: Segmentation                 |
|               |                  |          |                   |               | fault in SSL_check_chain              |
|               |                  |          |                   |               | causes denial of service              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                      |
|               |                  |          |                   |               | overflow in CipherUpdate              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|               |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2020-1971    | MEDIUM   |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
|               |                  |          |                   |               | NULL pointer de-reference             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in signature_algorithms processing    |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|               |                  |          |                   |               | rollback protection                   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libgd         | CVE-2018-14553   | HIGH     | 2.2.5-r2          | 2.2.5-r3      | gd: NULL pointer                      |
|               |                  |          |                   |               | dereference in gdImageClone           |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-14553 |
+               +------------------+----------+                   +               +---------------------------------------+
|               | CVE-2019-11038   | MEDIUM   |                   |               | gd: Information disclosure            |
|               |                  |          |                   |               | in gdImageCreateFromXbm()             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-11038 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libjpeg-turbo | CVE-2020-13790   | HIGH     | 2.0.4-r0          | 2.0.4-r1      | libjpeg-turbo: heap-based buffer      |
|               |                  |          |                   |               | over-read in get_rgb_row() in rdppm.c |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-13790 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| libssl1.1     | CVE-2020-1967    |          | 1.1.1d-r2         | 1.1.1g-r0     | openssl: Segmentation                 |
|               |                  |          |                   |               | fault in SSL_check_chain              |
|               |                  |          |                   |               | causes denial of service              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                      |
|               |                  |          |                   |               | overflow in CipherUpdate              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|               |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2020-1971    | MEDIUM   |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
|               |                  |          |                   |               | NULL pointer de-reference             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in signature_algorithms processing    |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|               |                  |          |                   |               | rollback protection                   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libxml2       | CVE-2020-24977   | MEDIUM   | 2.9.9-r3          | 2.9.9-r4      | libxml2: Buffer overflow              |
|               |                  |          |                   |               | vulnerability in                      |
|               |                  |          |                   |               | xmlEncodeEntitiesInternal()           |
|               |                  |          |                   |               | in entities.c                         |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-24977 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| musl          | CVE-2020-28928   |          | 1.1.22-r3         | 1.1.22-r4     | In musl libc through 1.2.1,           |
|               |                  |          |                   |               | wcsnrtombs mishandles particular      |
|               |                  |          |                   |               | combinations of destination buffer... |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
+---------------+                  +          +                   +               +                                       +
| musl-utils    |                  |          |                   |               |                                       |
|               |                  |          |                   |               |                                       |
|               |                  |          |                   |               |                                       |
|               |                  |          |                   |               |                                       |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| nginx         | CVE-2019-20372   |          | 1.16.1-r1         | 1.16.1-r2     | nginx: HTTP request smuggling         |
|               |                  |          |                   |               | in configurations with URL            |
|               |                  |          |                   |               | redirect used as error_page...        |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-20372 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| pcre          | CVE-2020-14155   |          | 8.43-r0           | 8.43-r1       | pcre: integer overflow in libpcre     |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14155 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client    | CVE-2021-28831   | HIGH     | 1.30.1-r3         | 1.30.1-r5     | busybox: invalid free or segmentation |
|               |                  |          |                   |               | fault via malformed gzip data         |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+

更多阅读：

上一页Image build 下一页ImagePolicyWebhook

最后更新于2年前

root@node1:~/cks/vul-scan# docker run ghcr.io/aquasecurity/trivy:latest image nginx:latest 2021-05-21T07:53:24.540Z INFO Need to update DB 2021-05-21T07:53:24.540Z INFO Downloading DB... 2021-05-21T07:53:44.550Z FATAL DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 8.8.8.8:53: read udp 172.17.0.3:37595->8.8.8.8:53: i/o timeout root@node1:~/cks/vul-scan# docker run --net=host ghcr.io/aquasecurity/trivy:latest image nginx:latest 2021-05-21T07:53:57.092Z INFO Need to update DB 2021-05-21T07:53:57.092Z INFO Downloading DB... 370.09 KiB / 21.40 MiB [->___________________________________________________________] 1.69% ? p/s ?859.52 KiB / 21.40 MiB [-->__________________________________________________________] 3.92% ? p/s ?1.45 MiB / 21.40 MiB [---->__________________________________________________________] 6.77% ? p/s ?2.09 MiB / 21.40 MiB [---->______________________________________________] 9.77% 2.88 MiB p/s ETA 6s2.73 MiB / 21.40 MiB [------>___________________________________________] 12.76% 2.88 MiB p/s ETA 6s3.43 MiB / 21.40 MiB [-------->_________________________________________] 16.05% 2.88 MiB p/s ETA 6s4.28 MiB / 21.40 MiB [--------->________________________________________] 19.99% 2.93 MiB p/s ETA 5s5.22 MiB / 21.40 MiB [------------>_____________________________________] 24.39% 2.93 MiB p/s ETA 5s6.25 MiB / 21.40 MiB [-------------->___________________________________] 29.19% 2.93 MiB p/s ETA 5s6.96 MiB / 21.40 MiB [---------------->_________________________________] 32.53% 3.03 MiB p/s ETA 4s8.52 MiB / 21.40 MiB [------------------->______________________________] 39.80% 3.03 MiB p/s ETA 4s9.65 MiB / 21.40 MiB [---------------------->___________________________] 45.11% 3.03 MiB p/s ETA 3s10.77 MiB / 21.40 MiB [------------------------>________________________] 50.32% 3.24 MiB p/s ETA 3s12.02 MiB / 21.40 MiB [--------------------------->_____________________] 56.18% 3.24 MiB p/s ETA 2s13.30 MiB / 21.40 MiB [------------------------------>__________________] 62.16% 3.24 MiB p/s ETA 2s14.57 MiB / 21.40 MiB [--------------------------------->_______________] 68.12% 3.44 MiB p/s ETA 1s15.92 MiB / 21.40 MiB [------------------------------------>____________] 74.42% 3.44 MiB p/s ETA 1s17.30 MiB / 21.40 MiB [--------------------------------------->_________] 80.84% 3.44 MiB p/s ETA 1s19.13 MiB / 21.40 MiB [------------------------------------------->_____] 89.40% 3.71 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 5.67 MiB p/s 4s2021-05-21T07:54:20.382Z INFO Detected OS: debian 2021-05-21T07:54:20.382Z INFO Detecting Debian vulnerabilities... 2021-05-21T07:54:20.437Z INFO Number of PL dependency files: 1 nginx:latest (debian 10.9) ========================== Total: 164 (UNKNOWN: 0, LOW: 110, MEDIUM: 13, HIGH: 29, CRITICAL: 12) +------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+ | apt | CVE-2011-3374 | LOW | 1.8.2.3 | | It was found that apt-key in apt, | | | | | | | all versions, do not correctly... | | | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 | +------------------+---------------------+ +---------------------------+---------------+--------------------------------------------------------------+ | bash | CVE-2019-18276 | | 5.0-4 | | bash: when effective UID is not | | | | | | | equal to its real UID the... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-18276 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0841856-B18BAF | | | | -->security-tracker.debian.org/tracker/TEMP-0841856-B18BAF | +------------------+---------------------+ +---------------------------+---------------+--------------------------------------------------------------+ | coreutils | CVE-2016-2781 | | 8.30-3 | | coreutils: Non-privileged | | | | | | | session can escape to the | | | | | | | parent session in chroot | | | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-18018 | | | | coreutils: race condition | | | | | | | vulnerability in chown and chgrp | | | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 | +------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+ | gcc-8-base | CVE-2018-12886 | HIGH | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in cfgexpand.c | | | | | | | and function.c leads to... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-12886 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic | | | | | | | produces repeated output | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15847 | +------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+ | gpgv | CVE-2019-14855 | LOW | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key Certification | | | | | | | Forgeries with SHA-1 | | | | | | | -->avd.aquasec.com/nvd/cve-2019-14855 | +------------------+---------------------+ +---------------------------+---------------+--------------------------------------------------------------+ | libapt-pkg5.0 | CVE-2011-3374 | | 1.8.2.3 | | It was found that apt-key in apt, | | | | | | | all versions, do not correctly... | | | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 | +------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+ | libc-bin | CVE-2020-1751 | HIGH | 2.28-10 | | glibc: array overflow in | | | | | | | backtrace functions for powerpc | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1751 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in glob() | | | | | | | function when expanding ~user | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1752 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure in | | | | | | | ISO-2022-JP-3 gconv module | | | | | | | related to combining characters | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2019-25013 | MEDIUM | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences in... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption | | | | | | | from crafted input in cosl, | | | | | | | sinl, sincosl, and tanl... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-10029 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance the... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: De-recursivise | | | | | | | regular expression engine | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4051 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise | | | | | | | regular expression engine | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4052 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation | | | | | | | can cause excessive CPU and | | | | | | | memory consumption due to... | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can hang | | | | | | | when invoked with the -c option | | | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled recursion in | | | | | | | function check_dst_limits_calc_pos_1 | | | | | | | in posix/regexec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection bypass | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF | | | | | | | leads to code execution because of... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using | | | | | | | cache of thread stack and heap | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure of heap | | | | | | | addresses of pthread_created thread | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19126 | | | | glibc: LD_PREFER_MAP_32BIT_EXEC | | | | | | | not ignored in setuid binaries | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19126 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled recursion in | | | | | | | function check_dst_limits_calc_pos_1 | | | | | | | in posix/regexec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the | | | | | | | ARMv7 memcpy function | | | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function | | | | | | | in netgroupcache.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 | #匹配关键包 root@node1:~/cks/vul-scan# docker run --net=host ghcr.io/aquasecurity/trivy:latest image nginx:latest |grep CRITICAL 220.74 KiB / 21.40 MiB [>____________________________________________________________] 1.01% ? p/s ?780.25 KiB / 21.40 MiB [-->__________________________________________________________] 3.56% ? p/s ?1.48 MiB / 21.40 MiB [---->__________________________________________________________] 6.91% ? p/s ?2.66 MiB / 21.40 MiB [------>___________________________________________] 12.43% 4.08 MiB p/s ETA 4s3.32 MiB / 21.40 MiB [------->__________________________________________] 15.49% 4.08 MiB p/s ETA 4s3.91 MiB / 21.40 MiB [--------->________________________________________] 18.27% 4.08 MiB p/s ETA 4s5.35 MiB / 21.40 MiB [------------>_____________________________________] 24.99% 4.10 MiB p/s ETA 3s6.36 MiB / 21.40 MiB [-------------->___________________________________] 29.72% 4.10 MiB p/s ETA 3s7.35 MiB / 21.40 MiB [----------------->________________________________] 34.35% 4.10 MiB p/s ETA 3s8.95 MiB / 21.40 MiB [-------------------->_____________________________] 41.84% 4.23 MiB p/s ETA 2s10.56 MiB / 21.40 MiB [------------------------>________________________] 49.34% 4.23 MiB p/s ETA 2s11.74 MiB / 21.40 MiB [-------------------------->______________________] 54.88% 4.23 MiB p/s ETA 2s13.05 MiB / 21.40 MiB [----------------------------->___________________] 60.99% 4.40 MiB p/s ETA 1s14.32 MiB / 21.40 MiB [-------------------------------->________________] 66.93% 4.40 MiB p/s ETA 1s16.19 MiB / 21.40 MiB [------------------------------------->___________] 75.69% 4.40 MiB p/s ETA 1s17.36 MiB / 21.40 MiB [--------------------------------------->_________] 81.13% 4.57 MiB p/s ETA 0s18.94 MiB / 21.40 MiB [------------------------------------------->_____] 88.51% 4.57 MiB p/s ETA 0s21.14 MiB / 21.40 MiB [------------------------------------------------>] 98.78% 4.57 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 6.16 MiB p/s 4sTotal: 164 (UNKNOWN: 0, LOW: 110, MEDIUM: 13, HIGH: 29, CRITICAL: 12) | libgnutls30 | CVE-2021-20231 | CRITICAL | 3.6.7-4+deb10u6 | | gnutls: Use after free in | | libwebp6 | CVE-2018-25009 | CRITICAL | 0.6.1-2 | | libwebp: out-of-bounds read # 换个镜像版本 root@node1:~/cks/vul-scan# docker run --net=host ghcr.io/aquasecurity/trivy:latest image nginx:1.16-alpine 2021-05-21T07:59:24.605Z INFO Need to update DB 2021-05-21T07:59:24.605Z INFO Downloading DB... 380.49 KiB / 21.40 MiB [->___________________________________________________________] 1.74% ? p/s ?976.27 KiB / 21.40 MiB [-->__________________________________________________________] 4.46% ? p/s ?1.55 MiB / 21.40 MiB [---->__________________________________________________________] 7.23% ? p/s ?2.05 MiB / 21.40 MiB [---->______________________________________________] 9.57% 2.80 MiB p/s ETA 6s2.52 MiB / 21.40 MiB [----->____________________________________________] 11.80% 2.80 MiB p/s ETA 6s3.09 MiB / 21.40 MiB [------->__________________________________________] 14.46% 2.80 MiB p/s ETA 6s3.75 MiB / 21.40 MiB [-------->_________________________________________] 17.55% 2.80 MiB p/s ETA 6s4.41 MiB / 21.40 MiB [---------->_______________________________________] 20.60% 2.80 MiB p/s ETA 6s5.09 MiB / 21.40 MiB [----------->______________________________________] 23.79% 2.80 MiB p/s ETA 5s5.90 MiB / 21.40 MiB [------------->____________________________________] 27.57% 2.85 MiB p/s ETA 5s6.66 MiB / 21.40 MiB [--------------->__________________________________] 31.15% 2.85 MiB p/s ETA 5s7.50 MiB / 21.40 MiB [----------------->________________________________] 35.04% 2.85 MiB p/s ETA 4s8.58 MiB / 21.40 MiB [-------------------->_____________________________] 40.11% 2.95 MiB p/s ETA 4s9.34 MiB / 21.40 MiB [--------------------->____________________________] 43.64% 2.95 MiB p/s ETA 4s10.30 MiB / 21.40 MiB [----------------------->_________________________] 48.16% 2.95 MiB p/s ETA 3s10.78 MiB / 21.40 MiB [------------------------>________________________] 50.39% 3.00 MiB p/s ETA 3s11.31 MiB / 21.40 MiB [------------------------->_______________________] 52.86% 3.00 MiB p/s ETA 3s11.48 MiB / 21.40 MiB [-------------------------->______________________] 53.66% 3.00 MiB p/s ETA 3s11.60 MiB / 21.40 MiB [-------------------------->______________________] 54.21% 2.89 MiB p/s ETA 3s11.70 MiB / 21.40 MiB [-------------------------->______________________] 54.68% 2.89 MiB p/s ETA 3s12.20 MiB / 21.40 MiB [--------------------------->_____________________] 57.02% 2.89 MiB p/s ETA 3s12.96 MiB / 21.40 MiB [----------------------------->___________________] 60.56% 2.86 MiB p/s ETA 2s13.68 MiB / 21.40 MiB [------------------------------->_________________] 63.96% 2.86 MiB p/s ETA 2s13.92 MiB / 21.40 MiB [------------------------------->_________________] 65.05% 2.86 MiB p/s ETA 2s15.22 MiB / 21.40 MiB [---------------------------------->______________] 71.13% 2.92 MiB p/s ETA 2s15.82 MiB / 21.40 MiB [------------------------------------>____________] 73.93% 2.92 MiB p/s ETA 1s16.76 MiB / 21.40 MiB [-------------------------------------->__________] 78.33% 2.92 MiB p/s ETA 1s17.79 MiB / 21.40 MiB [---------------------------------------->________] 83.16% 3.00 MiB p/s ETA 1s18.83 MiB / 21.40 MiB [------------------------------------------->_____] 88.00% 3.00 MiB p/s ETA 0s20.29 MiB / 21.40 MiB [---------------------------------------------->__] 94.85% 3.00 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------->] 100.00% 3.20 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 3.54 MiB p/s 6s2021-05-21T08:00:41.674Z INFO Detected OS: alpine 2021-05-21T08:00:41.674Z INFO Detecting Alpine vulnerabilities... 2021-05-21T08:00:41.680Z INFO Number of PL dependency files: 0 2021-05-21T08:00:41.680Z WARN This OS version is no longer supported by the distribution: alpine 3.10.4 2021-05-21T08:00:41.680Z WARN The vulnerability detection may be insufficient because security updates are not provided nginx:1.16-alpine (alpine 3.10.4) ================================= Total: 26 (UNKNOWN: 0, LOW: 2, MEDIUM: 13, HIGH: 11, CRITICAL: 0) +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-30139 | HIGH | 2.10.4-r2 | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +---------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.30.1-r3 | 1.30.1-r5 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | freetype | CVE-2020-15999 | MEDIUM | 2.10.0-r0 | 2.10.0-r1 | freetype: Heap-based buffer | | | | | | | overflow due to integer | | | | | | | truncation in Load_SBit_Png | | | | | | | -->avd.aquasec.com/nvd/cve-2020-15999 | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcrypto1.1 | CVE-2020-1967 | HIGH | 1.1.1d-r2 | 1.1.1g-r0 | openssl: Segmentation | | | | | | | fault in SSL_check_chain | | | | | | | causes denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23840 | | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-1971 | MEDIUM | | 1.1.1i-r0 | openssl: EDIPARTYNAME | | | | | | | NULL pointer de-reference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23841 | | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libgd | CVE-2018-14553 | HIGH | 2.2.5-r2 | 2.2.5-r3 | gd: NULL pointer | | | | | | | dereference in gdImageClone | | | | | | | -->avd.aquasec.com/nvd/cve-2018-14553 | + +------------------+----------+ + +---------------------------------------+ | | CVE-2019-11038 | MEDIUM | | | gd: Information disclosure | | | | | | | in gdImageCreateFromXbm() | | | | | | | -->avd.aquasec.com/nvd/cve-2019-11038 | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libjpeg-turbo | CVE-2020-13790 | HIGH | 2.0.4-r0 | 2.0.4-r1 | libjpeg-turbo: heap-based buffer | | | | | | | over-read in get_rgb_row() in rdppm.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13790 | +---------------+------------------+ +-------------------+---------------+---------------------------------------+ | libssl1.1 | CVE-2020-1967 | | 1.1.1d-r2 | 1.1.1g-r0 | openssl: Segmentation | | | | | | | fault in SSL_check_chain | | | | | | | causes denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1967 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23840 | | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-1971 | MEDIUM | | 1.1.1i-r0 | openssl: EDIPARTYNAME | | | | | | | NULL pointer de-reference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1971 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-23841 | | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libxml2 | CVE-2020-24977 | MEDIUM | 2.9.9-r3 | 2.9.9-r4 | libxml2: Buffer overflow | | | | | | | vulnerability in | | | | | | | xmlEncodeEntitiesInternal() | | | | | | | in entities.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-24977 | +---------------+------------------+ +-------------------+---------------+---------------------------------------+ | musl | CVE-2020-28928 | | 1.1.22-r3 | 1.1.22-r4 | In musl libc through 1.2.1, | | | | | | | wcsnrtombs mishandles particular | | | | | | | combinations of destination buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-28928 | +---------------+ + + + + + | musl-utils | | | | | | | | | | | | | | | | | | | | | | | | | | | +---------------+------------------+ +-------------------+---------------+---------------------------------------+ | nginx | CVE-2019-20372 | | 1.16.1-r1 | 1.16.1-r2 | nginx: HTTP request smuggling | | | | | | | in configurations with URL | | | | | | | redirect used as error_page... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-20372 | +---------------+------------------+ +-------------------+---------------+---------------------------------------+ | pcre | CVE-2020-14155 | | 8.43-r0 | 8.43-r1 | pcre: integer overflow in libpcre | | | | | | | -->avd.aquasec.com/nvd/cve-2020-14155 | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+ | ssl_client | CVE-2021-28831 | HIGH | 1.30.1-r3 | 1.30.1-r5 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | +---------------+------------------+----------+-------------------+---------------+---------------------------------------+