-
Notifications
You must be signed in to change notification settings - Fork 123
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2952 from cyberark/clean_trivyignore
CNJR-2424: clean .trivyignore from issues that are no longer applicable for conjur
- Loading branch information
Showing
1 changed file
with
0 additions
and
97 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,97 +0,0 @@ | ||
# OpenSSL CVEs | ||
# | ||
# Because of the way OpenSSL 1.0.2 has moved to premium support and our Ubuntu | ||
# base image, trivy flags a number of OpenSSL issues in Conjur because the fix | ||
# for most Ubuntu users is to move to 1.1.1 instead of having the continued support | ||
# in the 1.0.2 line. Additionally, trivy flages 1.0.2zf as vulnerable to issues that | ||
# only affect 1.1.x. As of the time of this writing, we use 1.0.2zf which either | ||
# has the fix or is unaffected by these issues. | ||
CVE-2022-2097 | ||
CVE-2022-2068 | ||
CVE-2022-1292 | ||
CVE-2022-0778 | ||
CVE-2021-23841 | ||
CVE-2021-23840 | ||
CVE-2021-3712 | ||
CVE-2019-1563 | ||
CVE-2019-1551 | ||
CVE-2019-1549 | ||
CVE-2019-1547 | ||
CVE-2018-0735 | ||
CVE-2018-0734 | ||
|
||
# NULL pointer deref. OpenSSL 1.0.2 is not impacted | ||
CVE-2021-3449 | ||
|
||
# We already use a later version than the ones listed as impacted by this | ||
# CVE, so we believe this is just a scanner issue. | ||
CVE-2014-7819 | ||
|
||
# Rake vulnerability for versions < 12.3.3. The version of Rake used by Conjur | ||
# has been updated to 13.0.1. Some of the Conjur dependencies still declare a | ||
# vulnerable version of Rake in their development dependencies, but do not pose | ||
# a risk to Conjur. | ||
CVE-2020-8130 | ||
|
||
# Applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake | ||
# may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" | ||
# TLS extension. this issue was fixed in OpenSSL 1.1.1g | ||
# | ||
# In order to support fips with openssl we are required to downgrading openssl version to 1.0.2 until openssl will | ||
# support fips module in newer versions | ||
# This vulnerability this is not relevant to us as | ||
# 1. The installed version (1.0.2u) does not support 1.3 | ||
# 2. Trivy detect the usage of openssl 1.0.2 (can be reproduced with | ||
# docker run -v /var/run/docker.sock:/var/run/docker.sock | ||
# -v $(PWD):/workspace --rm aquasec/trivy -f json -o /workspace/scan_results-conjur-unfixed.json --no-progress | ||
# --ignorefile .trivyignore registry.tld/ruby-fips-base-image-phusion:1.0.0) | ||
# | ||
# Performed by @yahalomk approved by @shaharglazner | ||
CVE-2020-1967 | ||
|
||
# CVE-2020-1971 | ||
# The X.509 GeneralName type is a generic type for representing different types | ||
# of names. One of those name types is known as EDIPartyName. OpenSSL provides a | ||
# function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME | ||
# to see if they are equal or not. This function behaves incorrectly when both | ||
# GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash | ||
# may occur leading to a possible denial of service attack. | ||
# OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: | ||
# | ||
# 1) Comparing CRL distribution point names between an available CRL and a CRL | ||
# distribution point embedded in an X509 certificate. | ||
# | ||
# 2) When verifying that a timestamp response token signer matches the timestamp | ||
# authority name (exposed via the API functions TS_RESP_verify_response and | ||
# TS_RESP_verify_token) If an attacker can control both items being compared | ||
# then that attacker could trigger a crash. | ||
# | ||
# All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Fixed in OpenSSL | ||
# 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). | ||
# | ||
# In order to support FIPS with OpenSSL we are required to use OpenSSL version | ||
# 1.0.2 until OpenSSL supports the FIPS module in newer versions. The latest | ||
# available version to us is 1.0.2u, which does not include this fix. | ||
# | ||
# We've determined that we are not impacted by this vulnerability because: | ||
# - we do not directly perform CRL checks in the Conjur or DAP software | ||
# - we do not enable automatic CRL checks in openssl tools | ||
# - we do not call any of the impacted OpenSSL APIs or any of the APIs that expose | ||
# impacted behavior. | ||
# | ||
# Performed by @micahlee, approved by @andytinkham | ||
CVE-2020-1971 | ||
|
||
# CVE-2021-3711 | ||
# The vulnerability is not affected Conjur's version of OpenSSL 1.0.2u (https://www.openssl.org/news/secadv/20210824.txt) | ||
# Conjur does not use SM2 algorithm (https://www.openssl.org/docs/manmaster/man7/SM2.html) | ||
CVE-2021-3711 | ||
|
||
# We have the fix for CVE-2023-0286 in openssl 1.0.2zg, but because OpenSSL 1.0.2 | ||
# is only available in premium support, trivy thinks we should use something in the 1.1.1 | ||
# line. We can't, due to FIPS compliance, so need to continue to ignore this issue. | ||
CVE-2023-0286 | ||
|
||
# Scanners pick up this vulnerability in OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 | ||
# however we use ruby 3+ in production so we can safely ignore it. | ||
CVE-2017-14033 | ||