CVE-2023-38646 not being detected

[exiett]

Description

Hi all!
The image metabase/metabase:v0.45.2 is vulnerable to CVE-2023-38646.
Tried Trivy in it to see if detects the problem and Trivy oversees it.
Is this expected? How version matching in Trivy works? Which vulnerability DBs does Trivy consults to get its results from?

Desired Behavior

Trivy detects CVE-2023-38646 in the image.

Actual Behavior

Trivy oversees the vulnerability.

Reproduction Steps

1. trivy image metabase/metabase:v0.45.2 --quiet | grep CVE-2023-38646
...

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

❯ trivy image metabase/metabase:v0.45.2 --debug| grep CVE-2023-38646
2024-03-19T18:22:39.574-0300	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-19T18:22:39.575-0300	DEBUG	Ignore statuses	{"statuses": null}
2024-03-19T18:22:39.614-0300	DEBUG	cache dir:  /Users/lucas.teixeira/Library/Caches/trivy
2024-03-19T18:22:39.614-0300	DEBUG	DB update was skipped because the local DB is the latest
2024-03-19T18:22:39.614-0300	DEBUG	DB Schema: 2, UpdatedAt: 2024-03-19 18:11:55.127619352 +0000 UTC, NextUpdate: 2024-03-20 00:11:55.12761871 +0000 UTC, DownloadedAt: 2024-03-19 18:49:07.422505 +0000 UTC
2024-03-19T18:22:39.614-0300	INFO	Vulnerability scanning is enabled
2024-03-19T18:22:39.614-0300	DEBUG	Vulnerability type:  [os library]
2024-03-19T18:22:39.614-0300	INFO	Secret scanning is enabled
2024-03-19T18:22:39.614-0300	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-19T18:22:39.614-0300	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-03-19T18:22:39.614-0300	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-19T18:22:40.792-0300	DEBUG	No secret config detected: trivy-secret.yaml
2024-03-19T18:22:40.792-0300	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-03-19T18:22:40.793-0300	DEBUG	No secret config detected: trivy-secret.yaml
2024-03-19T18:22:40.987-0300	DEBUG	Image ID: sha256:d52859d68b82e5f458058bd30b99c86765bff70efdbb42e9ef5e8876416d8c50
2024-03-19T18:22:40.987-0300	DEBUG	Diff IDs: [sha256:8e012198eea15b2554b07014081c85fec4967a1b9cc4b65bd9a4bce3ae1c0c88 sha256:f9e315186df9d3a8de76074e45a1d5d65e712837e6f91271c2a47425ccc6706e sha256:2e8bab69232fa0f47170a9cf348173bcf4b3a5726f546f2f884c81443f307888 sha256:b0a2c454f7b862377bd199b90c24b7d121dec34e43a16fe030bc7f56d745da6c sha256:07f84bed0fa2958d23a47aa474d507d186a76473a474d23486d51eba38c03438 sha256:816ea78d10893f7b8a7d994b503d499c6af422c0bdb71ad92def3aaae7e941a2]
2024-03-19T18:22:40.987-0300	DEBUG	Base Layers: [sha256:8e012198eea15b2554b07014081c85fec4967a1b9cc4b65bd9a4bce3ae1c0c88]
2024-03-19T18:22:40.995-0300	INFO	Detected OS: alpine
2024-03-19T18:22:40.995-0300	INFO	Detecting Alpine vulnerabilities...
2024-03-19T18:22:40.995-0300	DEBUG	alpine: os version: 3.17
2024-03-19T18:22:40.995-0300	DEBUG	alpine: package repository: 3.17
2024-03-19T18:22:40.995-0300	DEBUG	alpine: the number of packages: 42
2024-03-19T18:22:41.000-0300	INFO	Number of language-specific files: 1
2024-03-19T18:22:41.000-0300	INFO	Detecting jar vulnerabilities...
2024-03-19T18:22:41.000-0300	DEBUG	Detecting library vulnerabilities, type: jar, path:
2024-03-19T18:22:41.038-0300	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Operating System

MacOS Sonoma 14.4

Version

0.48.3

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @exiett
Thanks for your report!

What package/file in this image contains CVE-2023-38646?

Which vulnerability DBs does Trivy consults to get its results from?

supported OS packages and their databases - https://aquasecurity.github.io/trivy/v0.50/docs/scanner/vulnerability/#data-sources
supported language packages and their databases - https://aquasecurity.github.io/trivy/v0.50/docs/scanner/vulnerability/#data-sources_1

Regards, Dmitriy

[DmitriyLewen]

Hello @exiett
Thanks!
We use GitHub advisory database for java packages - https://aquasecurity.github.io/trivy/v0.50/docs/scanner/vulnerability/#data-sources_1

I have no knowledge about this package/vulnerability.
Please - add Affected products for this CVE in GHSA - https://github.com/advisories/GHSA-jg32-8h6w-x7vg/improve

Regards, Dmitiry

[exiett]

Hi there @DmitriyLewen !
Tried to fill in the details of affected products - not quite sure I did it right (first time 😅). The affected package would be the metabase.jar file. If it's in version 0.46.6.1 or 1.46.6.1, then it's vulnerable to the exploit.
Thanks!

[DmitriyLewen]

GitHub is a very friendly team. They will review your changes and help you if the changes require adjustments.

[exiett]

Awesome. Here we go!
github/advisory-database#4116

[lvanbuiten]

@exiett I saw they closed your ticket, but found out there is an unreviewed advisory: GHSA-jg32-8h6w-x7vg.

[exiett]

@exiett I saw they closed your ticket, but found out there is an unreviewed advisory: GHSA-jg32-8h6w-x7vg.

It's certain they will close this one too. It even includes less information than the one we sent. Any alternatives, @DmitriyLewen ?

[DmitriyLewen]

It looks like GitHub doesn't think it's a Java package either.

I investigated a bit:

• https://github.com/metabase/metabase repo doesn't contain Java code.
• maven metabase:metabase artifact doesn't exist - https://mvnrepository.com/artifact/metabase/metabase
• Trivy finds 3 packages for metabase.jar:

  ➜  6350 trivy -d image -f json --list-all-pkgs metabase/metabase:v0.45.2 | grep metabase | grep -v metabase.jar              
  ...
          "Name": "metabase:connection-pool",
            "PURL": "pkg:maven/metabase/connection-pool@1.2.0"
          "Name": "metabase:saml20-clj",
            "PURL": "pkg:maven/metabase/saml20-clj@2.0.2"
          "Name": "metabase:throttle",
            "PURL": "pkg:maven/metabase/throttle@1.0.2"
  

  But CVE-2023-38646 doesn't contain info about these packages.

Any alternatives,

Unless GHSA (or another database for another language) contains this CVE (with package name and affected version), we cannot detect this CVE.

[exiett]

@DmitriyLewen, I've read the blogpost made by the team that found out this vulnerability in Metabase (see here).

I've concluded that this CVE is more linked to faulty application logic, which is written in Clojure, rather than a vulnerable package by itself.

Does this classify this vulnerability as undetectable by Trivy?

[DmitriyLewen]

Does this classify this vulnerability as undetectable by Trivy?

Trivy doesn't support Clojure language and can't detect Clojure packages and vulnerabilities.

[exiett]

Hey @DmitriyLewen.

I think that's the info needed to close this discussion.

How could I open a Feature Request to check Clojure lang packages in a future version of Trivy?

Even not the most popular language, Clojure is used in the biggest digital bank in Brazil, NuBank, and there are more underlying software that is open-source and in use by the community that would benefit of that upgrade.

[DmitriyLewen]

You can create new discussion for that - https://github.com/aquasecurity/trivy/discussions/new?category=ideas

[lucasaboud0]

Hello @DmitriyLewen . Does trivy able to check the hash of a jar file or even version.properties inside it and correlate this with a CVE ?