Skip to content

Commit

Permalink
Merge pull request #2952 from cyberark/clean_trivyignore
Browse files Browse the repository at this point in the history
CNJR-2424: clean .trivyignore from issues that are no longer applicable for conjur
  • Loading branch information
hdabrowski authored Sep 13, 2023
2 parents 5792dc9 + cc41d70 commit cf0bb64
Showing 1 changed file with 0 additions and 97 deletions.
97 changes: 0 additions & 97 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -1,97 +0,0 @@
# OpenSSL CVEs
#
# Because of the way OpenSSL 1.0.2 has moved to premium support and our Ubuntu
# base image, trivy flags a number of OpenSSL issues in Conjur because the fix
# for most Ubuntu users is to move to 1.1.1 instead of having the continued support
# in the 1.0.2 line. Additionally, trivy flages 1.0.2zf as vulnerable to issues that
# only affect 1.1.x. As of the time of this writing, we use 1.0.2zf which either
# has the fix or is unaffected by these issues.
CVE-2022-2097
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-23841
CVE-2021-23840
CVE-2021-3712
CVE-2019-1563
CVE-2019-1551
CVE-2019-1549
CVE-2019-1547
CVE-2018-0735
CVE-2018-0734

# NULL pointer deref. OpenSSL 1.0.2 is not impacted
CVE-2021-3449

# We already use a later version than the ones listed as impacted by this
# CVE, so we believe this is just a scanner issue.
CVE-2014-7819

# Rake vulnerability for versions < 12.3.3. The version of Rake used by Conjur
# has been updated to 13.0.1. Some of the Conjur dependencies still declare a
# vulnerable version of Rake in their development dependencies, but do not pose
# a risk to Conjur.
CVE-2020-8130

# Applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake
# may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert"
# TLS extension. this issue was fixed in OpenSSL 1.1.1g
#
# In order to support fips with openssl we are required to downgrading openssl version to 1.0.2 until openssl will
# support fips module in newer versions
# This vulnerability this is not relevant to us as
# 1. The installed version (1.0.2u) does not support 1.3
# 2. Trivy detect the usage of openssl 1.0.2 (can be reproduced with
# docker run -v /var/run/docker.sock:/var/run/docker.sock
# -v $(PWD):/workspace --rm aquasec/trivy -f json -o /workspace/scan_results-conjur-unfixed.json --no-progress
# --ignorefile .trivyignore registry.tld/ruby-fips-base-image-phusion:1.0.0)
#
# Performed by @yahalomk approved by @shaharglazner
CVE-2020-1967

# CVE-2020-1971
# The X.509 GeneralName type is a generic type for representing different types
# of names. One of those name types is known as EDIPartyName. OpenSSL provides a
# function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
# to see if they are equal or not. This function behaves incorrectly when both
# GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
# may occur leading to a possible denial of service attack.
# OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
#
# 1) Comparing CRL distribution point names between an available CRL and a CRL
# distribution point embedded in an X509 certificate.
#
# 2) When verifying that a timestamp response token signer matches the timestamp
# authority name (exposed via the API functions TS_RESP_verify_response and
# TS_RESP_verify_token) If an attacker can control both items being compared
# then that attacker could trigger a crash.
#
# All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Fixed in OpenSSL
# 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
#
# In order to support FIPS with OpenSSL we are required to use OpenSSL version
# 1.0.2 until OpenSSL supports the FIPS module in newer versions. The latest
# available version to us is 1.0.2u, which does not include this fix.
#
# We've determined that we are not impacted by this vulnerability because:
# - we do not directly perform CRL checks in the Conjur or DAP software
# - we do not enable automatic CRL checks in openssl tools
# - we do not call any of the impacted OpenSSL APIs or any of the APIs that expose
# impacted behavior.
#
# Performed by @micahlee, approved by @andytinkham
CVE-2020-1971

# CVE-2021-3711
# The vulnerability is not affected Conjur's version of OpenSSL 1.0.2u (https://www.openssl.org/news/secadv/20210824.txt)
# Conjur does not use SM2 algorithm (https://www.openssl.org/docs/manmaster/man7/SM2.html)
CVE-2021-3711

# We have the fix for CVE-2023-0286 in openssl 1.0.2zg, but because OpenSSL 1.0.2
# is only available in premium support, trivy thinks we should use something in the 1.1.1
# line. We can't, due to FIPS compliance, so need to continue to ignore this issue.
CVE-2023-0286

# Scanners pick up this vulnerability in OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1
# however we use ruby 3+ in production so we can safely ignore it.
CVE-2017-14033

0 comments on commit cf0bb64

Please sign in to comment.