博客 Comand Gitbook shell

Image Vulnerability Scanning(Trivy)

1. Trivy扫描图像

github:https://github.com/aquasecurity/trivy

root@node1:~/cks/vul-scan# docker run ghcr.io/aquasecurity/trivy:latest image nginx:latest
2021-05-21T07:53:24.540Z	INFO	Need to update DB
2021-05-21T07:53:24.540Z	INFO	Downloading DB...
2021-05-21T07:53:44.550Z	FATAL	DB error: failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 8.8.8.8:53: read udp 172.17.0.3:37595->8.8.8.8:53: i/o timeout
root@node1:~/cks/vul-scan# docker run --net=host  ghcr.io/aquasecurity/trivy:latest image nginx:latest
2021-05-21T07:53:57.092Z	INFO	Need to update DB
2021-05-21T07:53:57.092Z	INFO	Downloading DB...
370.09 KiB / 21.40 MiB [->___________________________________________________________] 1.69% ? p/s ?859.52 KiB / 21.40 MiB [-->__________________________________________________________] 3.92% ? p/s ?1.45 MiB / 21.40 MiB [---->__________________________________________________________] 6.77% ? p/s ?2.09 MiB / 21.40 MiB [---->______________________________________________] 9.77% 2.88 MiB p/s ETA 6s2.73 MiB / 21.40 MiB [------>___________________________________________] 12.76% 2.88 MiB p/s ETA 6s3.43 MiB / 21.40 MiB [-------->_________________________________________] 16.05% 2.88 MiB p/s ETA 6s4.28 MiB / 21.40 MiB [--------->________________________________________] 19.99% 2.93 MiB p/s ETA 5s5.22 MiB / 21.40 MiB [------------>_____________________________________] 24.39% 2.93 MiB p/s ETA 5s6.25 MiB / 21.40 MiB [-------------->___________________________________] 29.19% 2.93 MiB p/s ETA 5s6.96 MiB / 21.40 MiB [---------------->_________________________________] 32.53% 3.03 MiB p/s ETA 4s8.52 MiB / 21.40 MiB [------------------->______________________________] 39.80% 3.03 MiB p/s ETA 4s9.65 MiB / 21.40 MiB [---------------------->___________________________] 45.11% 3.03 MiB p/s ETA 3s10.77 MiB / 21.40 MiB [------------------------>________________________] 50.32% 3.24 MiB p/s ETA 3s12.02 MiB / 21.40 MiB [--------------------------->_____________________] 56.18% 3.24 MiB p/s ETA 2s13.30 MiB / 21.40 MiB [------------------------------>__________________] 62.16% 3.24 MiB p/s ETA 2s14.57 MiB / 21.40 MiB [--------------------------------->_______________] 68.12% 3.44 MiB p/s ETA 1s15.92 MiB / 21.40 MiB [------------------------------------>____________] 74.42% 3.44 MiB p/s ETA 1s17.30 MiB / 21.40 MiB [--------------------------------------->_________] 80.84% 3.44 MiB p/s ETA 1s19.13 MiB / 21.40 MiB [------------------------------------------->_____] 89.40% 3.71 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 5.67 MiB p/s 4s2021-05-21T07:54:20.382Z	INFO	Detected OS: debian
2021-05-21T07:54:20.382Z	INFO	Detecting Debian vulnerabilities...
2021-05-21T07:54:20.437Z	INFO	Number of PL dependency files: 1

nginx:latest (debian 10.9)
==========================
Total: 164 (UNKNOWN: 0, LOW: 110, MEDIUM: 13, HIGH: 29, CRITICAL: 12)

+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
|     LIBRARY      |  VULNERABILITY ID   | SEVERITY |     INSTALLED VERSION     | FIXED VERSION |                            TITLE                             |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| apt              | CVE-2011-3374       | LOW      | 1.8.2.3                   |               | It was found that apt-key in apt,                            |
|                  |                     |          |                           |               | all versions, do not correctly...                            |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+------------------+---------------------+          +---------------------------+---------------+--------------------------------------------------------------+
| bash             | CVE-2019-18276      |          | 5.0-4                     |               | bash: when effective UID is not                              |
|                  |                     |          |                           |               | equal to its real UID the...                                 |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-18276                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | TEMP-0841856-B18BAF |          |                           |               | -->security-tracker.debian.org/tracker/TEMP-0841856-B18BAF   |
+------------------+---------------------+          +---------------------------+---------------+--------------------------------------------------------------+
| coreutils        | CVE-2016-2781       |          | 8.30-3                    |               | coreutils: Non-privileged                                    |
|                  |                     |          |                           |               | session can escape to the                                    |
|                  |                     |          |                           |               | parent session in chroot                                     |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2016-2781                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2017-18018      |          |                           |               | coreutils: race condition                                    |
|                  |                     |          |                           |               | vulnerability in chown and chgrp                             |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2017-18018                        |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| gcc-8-base       | CVE-2018-12886      | HIGH     | 8.3.0-6                   |               | gcc: spilling of stack                                       |
|                  |                     |          |                           |               | protection address in cfgexpand.c                            |
|                  |                     |          |                           |               | and function.c leads to...                                   |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2018-12886                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-15847      |          |                           |               | gcc: POWER9 "DARN" RNG intrinsic                             |
|                  |                     |          |                           |               | produces repeated output                                     |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-15847                        |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| gpgv             | CVE-2019-14855      | LOW      | 2.2.12-1+deb10u1          |               | gnupg2: OpenPGP Key Certification                            |
|                  |                     |          |                           |               | Forgeries with SHA-1                                         |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-14855                        |
+------------------+---------------------+          +---------------------------+---------------+--------------------------------------------------------------+
| libapt-pkg5.0    | CVE-2011-3374       |          | 1.8.2.3                   |               | It was found that apt-key in apt,                            |
|                  |                     |          |                           |               | all versions, do not correctly...                            |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+------------------+---------------------+----------+---------------------------+---------------+--------------------------------------------------------------+
| libc-bin         | CVE-2020-1751       | HIGH     | 2.28-10                   |               | glibc: array overflow in                                     |
|                  |                     |          |                           |               | backtrace functions for powerpc                              |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-1751                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-1752       |          |                           |               | glibc: use-after-free in glob()                              |
|                  |                     |          |                           |               | function when expanding ~user                                |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-1752                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2021-3326       |          |                           |               | glibc: Assertion failure in                                  |
|                  |                     |          |                           |               | ISO-2022-JP-3 gconv module                                   |
|                  |                     |          |                           |               | related to combining characters                              |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2021-3326                         |
+                  +---------------------+----------+                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-25013      | MEDIUM   |                           |               | glibc: buffer over-read in                                   |
|                  |                     |          |                           |               | iconv when processing invalid                                |
|                  |                     |          |                           |               | multi-byte input sequences in...                             |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-25013                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-10029      |          |                           |               | glibc: stack corruption                                      |
|                  |                     |          |                           |               | from crafted input in cosl,                                  |
|                  |                     |          |                           |               | sinl, sincosl, and tanl...                                   |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-10029                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-27618      |          |                           |               | glibc: iconv when processing                                 |
|                  |                     |          |                           |               | invalid multi-byte input                                     |
|                  |                     |          |                           |               | sequences fails to advance the...                            |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-27618                        |
+                  +---------------------+----------+                           +---------------+--------------------------------------------------------------+
|                  | CVE-2010-4051       | LOW      |                           |               | CVE-2010-4052 glibc: De-recursivise                          |
|                  |                     |          |                           |               | regular expression engine                                    |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2010-4051                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2010-4052       |          |                           |               | CVE-2010-4051 CVE-2010-4052                                  |
|                  |                     |          |                           |               | glibc: De-recursivise                                        |
|                  |                     |          |                           |               | regular expression engine                                    |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2010-4052                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2010-4756       |          |                           |               | glibc: glob implementation                                   |
|                  |                     |          |                           |               | can cause excessive CPU and                                  |
|                  |                     |          |                           |               | memory consumption due to...                                 |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2010-4756                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2016-10228      |          |                           |               | glibc: iconv program can hang                                |
|                  |                     |          |                           |               | when invoked with the -c option                              |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2016-10228                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2018-20796      |          |                           |               | glibc: uncontrolled recursion in                             |
|                  |                     |          |                           |               | function check_dst_limits_calc_pos_1                         |
|                  |                     |          |                           |               | in posix/regexec.c                                           |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2018-20796                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010022    |          |                           |               | glibc: stack guard protection bypass                         |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010022                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010023    |          |                           |               | glibc: running ldd on malicious ELF                          |
|                  |                     |          |                           |               | leads to code execution because of...                        |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010023                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010024    |          |                           |               | glibc: ASLR bypass using                                     |
|                  |                     |          |                           |               | cache of thread stack and heap                               |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010024                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-1010025    |          |                           |               | glibc: information disclosure of heap                        |
|                  |                     |          |                           |               | addresses of pthread_created thread                          |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-1010025                      |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-19126      |          |                           |               | glibc: LD_PREFER_MAP_32BIT_EXEC                              |
|                  |                     |          |                           |               | not ignored in setuid binaries                               |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-19126                        |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2019-9192       |          |                           |               | glibc: uncontrolled recursion in                             |
|                  |                     |          |                           |               | function check_dst_limits_calc_pos_1                         |
|                  |                     |          |                           |               | in posix/regexec.c                                           |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2019-9192                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2020-6096       |          |                           |               | glibc: signed comparison                                     |
|                  |                     |          |                           |               | vulnerability in the                                         |
|                  |                     |          |                           |               | ARMv7 memcpy function                                        |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2020-6096                         |
+                  +---------------------+          +                           +---------------+--------------------------------------------------------------+
|                  | CVE-2021-27645      |          |                           |               | glibc: Use-after-free in                                     |
|                  |                     |          |                           |               | addgetnetgrentX function                                     |
|                  |                     |          |                           |               | in netgroupcache.c                                           |
|                  |                     |          |                           |               | -->avd.aquasec.com/nvd/cve-2021-27645                        |




#匹配关键包
root@node1:~/cks/vul-scan# docker run --net=host  ghcr.io/aquasecurity/trivy:latest image nginx:latest |grep CRITICAL
220.74 KiB / 21.40 MiB [>____________________________________________________________] 1.01% ? p/s ?780.25 KiB / 21.40 MiB [-->__________________________________________________________] 3.56% ? p/s ?1.48 MiB / 21.40 MiB [---->__________________________________________________________] 6.91% ? p/s ?2.66 MiB / 21.40 MiB [------>___________________________________________] 12.43% 4.08 MiB p/s ETA 4s3.32 MiB / 21.40 MiB [------->__________________________________________] 15.49% 4.08 MiB p/s ETA 4s3.91 MiB / 21.40 MiB [--------->________________________________________] 18.27% 4.08 MiB p/s ETA 4s5.35 MiB / 21.40 MiB [------------>_____________________________________] 24.99% 4.10 MiB p/s ETA 3s6.36 MiB / 21.40 MiB [-------------->___________________________________] 29.72% 4.10 MiB p/s ETA 3s7.35 MiB / 21.40 MiB [----------------->________________________________] 34.35% 4.10 MiB p/s ETA 3s8.95 MiB / 21.40 MiB [-------------------->_____________________________] 41.84% 4.23 MiB p/s ETA 2s10.56 MiB / 21.40 MiB [------------------------>________________________] 49.34% 4.23 MiB p/s ETA 2s11.74 MiB / 21.40 MiB [-------------------------->______________________] 54.88% 4.23 MiB p/s ETA 2s13.05 MiB / 21.40 MiB [----------------------------->___________________] 60.99% 4.40 MiB p/s ETA 1s14.32 MiB / 21.40 MiB [-------------------------------->________________] 66.93% 4.40 MiB p/s ETA 1s16.19 MiB / 21.40 MiB [------------------------------------->___________] 75.69% 4.40 MiB p/s ETA 1s17.36 MiB / 21.40 MiB [--------------------------------------->_________] 81.13% 4.57 MiB p/s ETA 0s18.94 MiB / 21.40 MiB [------------------------------------------->_____] 88.51% 4.57 MiB p/s ETA 0s21.14 MiB / 21.40 MiB [------------------------------------------------>] 98.78% 4.57 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 6.16 MiB p/s 4sTotal: 164 (UNKNOWN: 0, LOW: 110, MEDIUM: 13, HIGH: 29, CRITICAL: 12)
| libgnutls30      | CVE-2021-20231      | CRITICAL | 3.6.7-4+deb10u6           |               | gnutls: Use after free in                                    |
| libwebp6         | CVE-2018-25009      | CRITICAL | 0.6.1-2                   |               | libwebp: out-of-bounds read                  





# 换个镜像版本
root@node1:~/cks/vul-scan# docker run --net=host  ghcr.io/aquasecurity/trivy:latest image nginx:1.16-alpine
2021-05-21T07:59:24.605Z	INFO	Need to update DB
2021-05-21T07:59:24.605Z	INFO	Downloading DB...
380.49 KiB / 21.40 MiB [->___________________________________________________________] 1.74% ? p/s ?976.27 KiB / 21.40 MiB [-->__________________________________________________________] 4.46% ? p/s ?1.55 MiB / 21.40 MiB [---->__________________________________________________________] 7.23% ? p/s ?2.05 MiB / 21.40 MiB [---->______________________________________________] 9.57% 2.80 MiB p/s ETA 6s2.52 MiB / 21.40 MiB [----->____________________________________________] 11.80% 2.80 MiB p/s ETA 6s3.09 MiB / 21.40 MiB [------->__________________________________________] 14.46% 2.80 MiB p/s ETA 6s3.75 MiB / 21.40 MiB [-------->_________________________________________] 17.55% 2.80 MiB p/s ETA 6s4.41 MiB / 21.40 MiB [---------->_______________________________________] 20.60% 2.80 MiB p/s ETA 6s5.09 MiB / 21.40 MiB [----------->______________________________________] 23.79% 2.80 MiB p/s ETA 5s5.90 MiB / 21.40 MiB [------------->____________________________________] 27.57% 2.85 MiB p/s ETA 5s6.66 MiB / 21.40 MiB [--------------->__________________________________] 31.15% 2.85 MiB p/s ETA 5s7.50 MiB / 21.40 MiB [----------------->________________________________] 35.04% 2.85 MiB p/s ETA 4s8.58 MiB / 21.40 MiB [-------------------->_____________________________] 40.11% 2.95 MiB p/s ETA 4s9.34 MiB / 21.40 MiB [--------------------->____________________________] 43.64% 2.95 MiB p/s ETA 4s10.30 MiB / 21.40 MiB [----------------------->_________________________] 48.16% 2.95 MiB p/s ETA 3s10.78 MiB / 21.40 MiB [------------------------>________________________] 50.39% 3.00 MiB p/s ETA 3s11.31 MiB / 21.40 MiB [------------------------->_______________________] 52.86% 3.00 MiB p/s ETA 3s11.48 MiB / 21.40 MiB [-------------------------->______________________] 53.66% 3.00 MiB p/s ETA 3s11.60 MiB / 21.40 MiB [-------------------------->______________________] 54.21% 2.89 MiB p/s ETA 3s11.70 MiB / 21.40 MiB [-------------------------->______________________] 54.68% 2.89 MiB p/s ETA 3s12.20 MiB / 21.40 MiB [--------------------------->_____________________] 57.02% 2.89 MiB p/s ETA 3s12.96 MiB / 21.40 MiB [----------------------------->___________________] 60.56% 2.86 MiB p/s ETA 2s13.68 MiB / 21.40 MiB [------------------------------->_________________] 63.96% 2.86 MiB p/s ETA 2s13.92 MiB / 21.40 MiB [------------------------------->_________________] 65.05% 2.86 MiB p/s ETA 2s15.22 MiB / 21.40 MiB [---------------------------------->______________] 71.13% 2.92 MiB p/s ETA 2s15.82 MiB / 21.40 MiB [------------------------------------>____________] 73.93% 2.92 MiB p/s ETA 1s16.76 MiB / 21.40 MiB [-------------------------------------->__________] 78.33% 2.92 MiB p/s ETA 1s17.79 MiB / 21.40 MiB [---------------------------------------->________] 83.16% 3.00 MiB p/s ETA 1s18.83 MiB / 21.40 MiB [------------------------------------------->_____] 88.00% 3.00 MiB p/s ETA 0s20.29 MiB / 21.40 MiB [---------------------------------------------->__] 94.85% 3.00 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------->] 100.00% 3.20 MiB p/s ETA 0s21.40 MiB / 21.40 MiB [----------------------------------------------------] 100.00% 3.54 MiB p/s 6s2021-05-21T08:00:41.674Z	INFO	Detected OS: alpine
2021-05-21T08:00:41.674Z	INFO	Detecting Alpine vulnerabilities...
2021-05-21T08:00:41.680Z	INFO	Number of PL dependency files: 0
2021-05-21T08:00:41.680Z	WARN	This OS version is no longer supported by the distribution: alpine 3.10.4
2021-05-21T08:00:41.680Z	WARN	The vulnerability detection may be insufficient because security updates are not provided

nginx:1.16-alpine (alpine 3.10.4)
=================================
Total: 26 (UNKNOWN: 0, LOW: 2, MEDIUM: 13, HIGH: 11, CRITICAL: 0)

+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
|    LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools     | CVE-2021-30139   | HIGH     | 2.10.4-r2         | 2.10.6-r0     | In Alpine Linux apk-tools             |
|               |                  |          |                   |               | before 2.12.5, the tarball            |
|               |                  |          |                   |               | parser allows a buffer...             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-30139 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| busybox       | CVE-2021-28831   |          | 1.30.1-r3         | 1.30.1-r5     | busybox: invalid free or segmentation |
|               |                  |          |                   |               | fault via malformed gzip data         |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| freetype      | CVE-2020-15999   | MEDIUM   | 2.10.0-r0         | 2.10.0-r1     | freetype: Heap-based buffer           |
|               |                  |          |                   |               | overflow due to integer               |
|               |                  |          |                   |               | truncation in Load_SBit_Png           |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-15999 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1  | CVE-2020-1967    | HIGH     | 1.1.1d-r2         | 1.1.1g-r0     | openssl: Segmentation                 |
|               |                  |          |                   |               | fault in SSL_check_chain              |
|               |                  |          |                   |               | causes denial of service              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                      |
|               |                  |          |                   |               | overflow in CipherUpdate              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|               |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2020-1971    | MEDIUM   |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
|               |                  |          |                   |               | NULL pointer de-reference             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in signature_algorithms processing    |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|               |                  |          |                   |               | rollback protection                   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libgd         | CVE-2018-14553   | HIGH     | 2.2.5-r2          | 2.2.5-r3      | gd: NULL pointer                      |
|               |                  |          |                   |               | dereference in gdImageClone           |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-14553 |
+               +------------------+----------+                   +               +---------------------------------------+
|               | CVE-2019-11038   | MEDIUM   |                   |               | gd: Information disclosure            |
|               |                  |          |                   |               | in gdImageCreateFromXbm()             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-11038 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libjpeg-turbo | CVE-2020-13790   | HIGH     | 2.0.4-r0          | 2.0.4-r1      | libjpeg-turbo: heap-based buffer      |
|               |                  |          |                   |               | over-read in get_rgb_row() in rdppm.c |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-13790 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| libssl1.1     | CVE-2020-1967    |          | 1.1.1d-r2         | 1.1.1g-r0     | openssl: Segmentation                 |
|               |                  |          |                   |               | fault in SSL_check_chain              |
|               |                  |          |                   |               | causes denial of service              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                      |
|               |                  |          |                   |               | overflow in CipherUpdate              |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|               |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2020-1971    | MEDIUM   |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                 |
|               |                  |          |                   |               | NULL pointer de-reference             |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971  |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+               +------------------+          +                   +---------------+---------------------------------------+
|               | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|               |                  |          |                   |               | in signature_algorithms processing    |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+               +------------------+----------+                   +---------------+---------------------------------------+
|               | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|               |                  |          |                   |               | rollback protection                   |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libxml2       | CVE-2020-24977   | MEDIUM   | 2.9.9-r3          | 2.9.9-r4      | libxml2: Buffer overflow              |
|               |                  |          |                   |               | vulnerability in                      |
|               |                  |          |                   |               | xmlEncodeEntitiesInternal()           |
|               |                  |          |                   |               | in entities.c                         |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-24977 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| musl          | CVE-2020-28928   |          | 1.1.22-r3         | 1.1.22-r4     | In musl libc through 1.2.1,           |
|               |                  |          |                   |               | wcsnrtombs mishandles particular      |
|               |                  |          |                   |               | combinations of destination buffer... |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
+---------------+                  +          +                   +               +                                       +
| musl-utils    |                  |          |                   |               |                                       |
|               |                  |          |                   |               |                                       |
|               |                  |          |                   |               |                                       |
|               |                  |          |                   |               |                                       |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| nginx         | CVE-2019-20372   |          | 1.16.1-r1         | 1.16.1-r2     | nginx: HTTP request smuggling         |
|               |                  |          |                   |               | in configurations with URL            |
|               |                  |          |                   |               | redirect used as error_page...        |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-20372 |
+---------------+------------------+          +-------------------+---------------+---------------------------------------+
| pcre          | CVE-2020-14155   |          | 8.43-r0           | 8.43-r1       | pcre: integer overflow in libpcre     |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14155 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client    | CVE-2021-28831   | HIGH     | 1.30.1-r3         | 1.30.1-r5     | busybox: invalid free or segmentation |
|               |                  |          |                   |               | fault via malformed gzip data         |
|               |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+---------------+------------------+----------+-------------------+---------------+---------------------------------------+

更多阅读:

  1. 官方trivy

  2. github trivy

  3. trivy 安装

  4. trivy 命令运用--漏洞扫描

  5. trivy 自定义扫描策略

上一页Image build下一页ImagePolicyWebhook

最后更新于